diff --git a/.github/workflows/cross.yml b/.github/workflows/cross.yml index 9422daf49..6703d040d 100644 --- a/.github/workflows/cross.yml +++ b/.github/workflows/cross.yml @@ -21,7 +21,7 @@ on: env: CARGO_TERM_COLOR: always - CROSS_FEATURES: --no-default-features --features vendored-openssl,quic,vendored-c-ares,hickory + CROSS_FEATURES: --no-default-features --features vendored-openssl,rustls-ring,quic,vendored-c-ares,hickory CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc CARGO_TARGET_RISCV64GC_UNKNOWN_LINUX_GNU_LINKER: riscv64-linux-gnu-gcc CARGO_TARGET_POWERPC64LE_UNKNOWN_LINUX_GNU_LINKER: powerpc64le-linux-gnu-gcc diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 73c388e66..7d544f5e8 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -69,7 +69,42 @@ jobs: - name: Cargo clippy run: cargo clippy --tests -- --deny warnings - build-vendored: + build-vendored-g1: + name: Build vendored + runs-on: ubuntu-latest + strategy: + matrix: + feature: + - vendored-openssl,rustls-ring + - vendored-tongsuo,rustls-ring + - vendored-aws-lc,rustls-aws-lc + - vendored-boringssl,rustls-ring + component: + - g3proxy + - g3bench + - g3tiles + include: + - feature: vendored-c-ares,rustls-ring + component: g3proxy + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable toolchain + uses: dtolnay/rust-toolchain@stable + with: + components: clippy + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install capnproto libc-ares-dev libssl-dev liblua5.4-dev + - name: Cargo build + run: cargo build --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} + - name: Cargo clippy + run: cargo clippy --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} -- --deny warnings + + build-vendored-g2: name: Build vendored runs-on: ubuntu-latest strategy: @@ -80,15 +115,9 @@ jobs: - vendored-aws-lc - vendored-boringssl component: - - g3proxy - - g3bench - - g3tiles - g3fcgen - g3mkcert - g3keymess - include: - - feature: vendored-c-ares - component: g3proxy steps: - name: Checkout sources uses: actions/checkout@v4 @@ -101,7 +130,7 @@ jobs: - name: Install dependencies run: | sudo apt-get update - sudo apt-get install capnproto libc-ares-dev libssl-dev liblua5.4-dev + sudo apt-get install capnproto libssl-dev - name: Cargo build run: cargo build --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} - name: Cargo clippy diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 130c279e1..ec323114c 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -44,7 +44,40 @@ jobs: run: cargo clippy --tests -- --deny warnings - name: Cargo test run: cargo test --workspace --exclude g3-journal - build-vendored: + build-vendored-g1: + name: Build vendored + runs-on: macos-latest + strategy: + matrix: + feature: + - vendored-openssl,rustls-ring + - vendored-tongsuo,rustls-ring + - vendored-aws-lc,rustls-aws-lc + - vendored-boringssl,rustls-ring + component: + - g3proxy + - g3bench + - g3tiles + include: + - feature: vendored-c-ares,rustls-ring + component: g3proxy + steps: + - name: Checkout sources + uses: actions/checkout@v4 + with: + submodules: true + - name: Install rust toolchain + uses: dtolnay/rust-toolchain@stable + with: + components: clippy + - name: Install dependencies + run: | + brew install capnp openssl c-ares lua + - name: Cargo build + run: cargo build --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} + - name: Cargo clippy + run: cargo clippy --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} -- --deny warnings + build-vendored-g2: name: Build vendored runs-on: macos-latest strategy: @@ -55,15 +88,9 @@ jobs: - vendored-aws-lc - vendored-boringssl component: - - g3proxy - - g3bench - - g3tiles - g3fcgen - g3mkcert - g3keymess - include: - - feature: vendored-c-ares - component: g3proxy steps: - name: Checkout sources uses: actions/checkout@v4 @@ -75,7 +102,7 @@ jobs: components: clippy - name: Install dependencies run: | - brew install capnp openssl c-ares lua + brew install capnp openssl - name: Cargo build run: cargo build --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} - name: Cargo clippy diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml index 6edf6b9dc..d55c0d2e5 100644 --- a/.github/workflows/static.yml +++ b/.github/workflows/static.yml @@ -30,8 +30,8 @@ jobs: strategy: matrix: feature: - - vendored-openssl - - vendored-tongsuo + - vendored-openssl,rustls-ring + - vendored-tongsuo,rustls-ring # - vendored-aws-lc # - vendored-boringssl steps: @@ -55,18 +55,18 @@ jobs: strategy: matrix: feature: - - vendored-openssl - - vendored-tongsuo - - vendored-aws-lc - - vendored-boringssl + - vendored-openssl,rustls-ring + - vendored-tongsuo,rustls-ring + - vendored-aws-lc,rustls-aws-lc + - vendored-boringssl,rustls-ring steps: - name: Install common tools run: choco install capnproto - name: Install nasm and ninja for BoringSSL - if: matrix.feature == 'vendored-boringssl' + if: contains(matrix.feature, 'vendored-boringssl') run: choco install nasm ninja - name: Install nasm for AWS-LC - if: matrix.feature == 'vendored-aws-lc' + if: contains(matrix.feature, 'vendored-aws-lc') uses: ilammy/setup-nasm@v1 - name: Checkout sources uses: actions/checkout@v4 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index d662b05a5..12b484c84 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -22,7 +22,7 @@ on: env: CARGO_TERM_COLOR: always VCPKG_ROOT: C:\vcpkg - WIN_FEATURES: quic,vendored-c-ares,hickory + WIN_FEATURES: rustls-ring,quic,vendored-c-ares,hickory jobs: build: @@ -48,7 +48,43 @@ jobs: - name: Cargo test run: cargo test --no-default-features --features $env:WIN_FEATURES --workspace --exclude g3-journal - build-vendored: + build-vendored-g1: + name: Build vendored + runs-on: windows-latest + strategy: + matrix: + feature: + - vendored-openssl,rustls-ring + - vendored-tongsuo,rustls-ring + - vendored-aws-lc,rustls-aws-lc + - vendored-boringssl,rustls-ring + component: + - g3proxy + - g3bench + - g3tiles + steps: + - name: Install common tools + run: choco install capnproto + - name: Install nasm and ninja for BoringSSL + if: contains(matrix.feature, 'vendored-boringssl') + run: choco install nasm ninja + - name: Install nasm for AWS-LC + if: contains(matrix.feature, 'vendored-aws-lc') + uses: ilammy/setup-nasm@v1 + - name: Checkout sources + uses: actions/checkout@v4 + with: + submodules: true + - name: Install rust toolchain + uses: dtolnay/rust-toolchain@stable + with: + components: clippy + - name: Cargo build + run: cargo build --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} + - name: Cargo clippy + run: cargo clippy --no-default-features --features ${{ matrix.feature }} -p ${{ matrix.component }} -- --deny warnings + + build-vendored-g2: name: Build vendored runs-on: windows-latest strategy: @@ -59,9 +95,6 @@ jobs: - vendored-aws-lc - vendored-boringssl component: - - g3proxy - - g3bench - - g3tiles - g3fcgen - g3mkcert - g3keymess @@ -69,10 +102,10 @@ jobs: - name: Install common tools run: choco install capnproto - name: Install nasm and ninja for BoringSSL - if: matrix.feature == 'vendored-boringssl' + if: contains(matrix.feature, 'vendored-boringssl') run: choco install nasm ninja - name: Install nasm for AWS-LC - if: matrix.feature == 'vendored-aws-lc' + if: contains(matrix.feature, 'vendored-aws-lc') uses: ilammy/setup-nasm@v1 - name: Checkout sources uses: actions/checkout@v4 diff --git a/Cargo.lock b/Cargo.lock index e4627e83c..c87b33ff9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1400,7 +1400,6 @@ dependencies = [ "g3-types", "ip_network", "rmpv", - "rustls", "rustls-pki-types", "uuid", "variant-ssl", @@ -3081,9 +3080,9 @@ dependencies = [ [[package]] name = "quinn" -version = "0.11.5" +version = "0.11.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c7c5fdde3cdae7203427dc4f0a68fe0ed09833edc525a03456b153b79828684" +checksum = "62e96808277ec6f97351a2380e6c25114bc9e67037775464979f3037c92d05ef" dependencies = [ "bytes", "futures-io", @@ -3093,26 +3092,30 @@ dependencies = [ "rustc-hash 2.0.0", "rustls", "socket2", - "thiserror 1.0.69", + "thiserror 2.0.3", "tokio", "tracing", ] [[package]] name = "quinn-proto" -version = "0.11.8" +version = "0.11.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6" +checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" dependencies = [ + "aws-lc-rs", "bytes", + "getrandom", "rand", "ring", "rustc-hash 2.0.0", "rustls", + "rustls-pki-types", "slab", - "thiserror 1.0.69", + "thiserror 2.0.3", "tinyvec", "tracing", + "web-time", ] [[package]] @@ -3368,6 +3371,9 @@ name = "rustls-pki-types" version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" +dependencies = [ + "web-time", +] [[package]] name = "rustls-webpki" diff --git a/Cargo.toml b/Cargo.toml index 6cc5d5416..609063149 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -150,8 +150,8 @@ async-recursion = "1.1" pin-project-lite = "0.2" # rustls-pki-types = { version = "1", default-features = false } -rustls = { version = "0.23.15", default-features = false, features = ["std", "tls12", "ring", "brotli"] } -tokio-rustls = { version = "0.26", default-features = false, features = ["tls12", "ring"] } +rustls = { version = "0.23.15", default-features = false, features = ["std", "tls12", "brotli"] } +tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] } quinn = { version = "0.11", default-features = false, features = ["runtime-tokio"] } quinn-udp = { version = "0.5.6", default-features = false, features = ["fast-apple-datapath"] } # diff --git a/doc/openssl-variants.md b/doc/openssl-variants.md index b63f34340..ed642335c 100644 --- a/doc/openssl-variants.md +++ b/doc/openssl-variants.md @@ -22,10 +22,6 @@ then you need to use Tongsuo. Use `--features vendored-tongsuo` cargo build option. -### Package - -Switch to branch `rel/tlcp-tongsuo`, then run the build script or create the release tarball as usual. - # BoringSSL See [BoringSSL](https://boringssl.googlesource.com/boringssl/) for more introduction. @@ -37,18 +33,12 @@ As an alternative, you can switch to use BoringSSl as a solution. ## How -BoringSSL is supported in branch `rel/boringssl`. - ### Build - Make sure you have `cmake`, `pkg-config`installed - Build with `--features vendored-boringssl` cargo option -### Package - -Switch to branch `rel/boringssl`, then run the build script or create the release tarball as usual. - # AWS-LC See [AWS-LC](https://github.com/aws/aws-lc) for more introduction. @@ -60,16 +50,10 @@ As an alternative, you can switch to use AWS-LC as a solution on AWS EC2 hosts. ## How -AWS-LC is supported in branch `rel/aws-lc`. - ### Build - Make sure you have `cmake`, `pkg-config` installed - Install a recent version of [go](https://go.dev/dl/) if you want to do AWS-LC code generation. -- Build with `--features vendored-aws-lc` cargo build option. - -### Package - -Switch to branch `rel/aws-lc`, then run the build script or create the release tarball as usual. +- Build with `--no-default-features --features vendored-aws-lc,rustls-aws-lc,` cargo build option. diff --git a/g3bench/Cargo.toml b/g3bench/Cargo.toml index f258c2ac1..7bad93654 100644 --- a/g3bench/Cargo.toml +++ b/g3bench/Cargo.toml @@ -55,9 +55,10 @@ g3-hickory-client.workspace = true g3-build-env.workspace = true [features] -default = ["quic"] +default = ["quic", "rustls-ring"] quic = ["g3-types/quic", "g3-socks/quic", "g3-io-ext/quic", "g3-hickory-client/quic", "dep:quinn", "dep:h3", "dep:h3-quinn"] -rustls-aws-lc = ["rustls/aws-lc-rs"] +rustls-ring = ["g3-types/rustls-ring", "rustls/ring", "quinn?/rustls-ring"] +rustls-aws-lc = ["g3-types/rustls-aws-lc", "rustls/aws-lc-rs", "quinn?/rustls-aws-lc-rs"] vendored-openssl = ["openssl/vendored", "openssl-probe"] vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-types/tongsuo"] vendored-aws-lc = ["rustls-aws-lc", "openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-tls-cert/aws-lc", "g3-openssl/aws-lc"] diff --git a/g3bench/debian/rules b/g3bench/debian/rules index f90a2095b..87e00265f 100755 --- a/g3bench/debian/rules +++ b/g3bench/debian/rules @@ -15,7 +15,7 @@ override_dh_auto_clean: override_dh_auto_build: G3_PACKAGE_VERSION=$(DEB_VERSION) \ cargo build --frozen --offline --profile $(BUILD_PROFILE) \ - --no-default-features --features $(SSL_FEATURE),quic \ + --no-default-features --features $(SSL_FEATURE),rustls-ring,quic \ --package g3bench override_dh_auto_install: diff --git a/g3bench/g3bench.spec b/g3bench/g3bench.spec index ac4ffdf88..7fb85a33e 100644 --- a/g3bench/g3bench.spec +++ b/g3bench/g3bench.spec @@ -31,7 +31,7 @@ G3 Benchmark Tool G3_PACKAGE_VERSION="%{version}-%{release}" export G3_PACKAGE_VERSION SSL_FEATURE=$(sh scripts/package/detect_openssl_feature.sh) -cargo build --frozen --offline --profile %{build_profile} --no-default-features --features $SSL_FEATURE,quic --package g3bench +cargo build --frozen --offline --profile %{build_profile} --no-default-features --features $SSL_FEATURE,rustls-ring,quic --package g3bench %install diff --git a/g3proxy/Cargo.toml b/g3proxy/Cargo.toml index bd4d6322e..833bcf3b8 100644 --- a/g3proxy/Cargo.toml +++ b/g3proxy/Cargo.toml @@ -84,7 +84,7 @@ g3-smtp-proto.workspace = true g3-socket.workspace = true g3-socks.workspace = true g3-statsd-client.workspace = true -g3-types = { workspace = true, features = ["auth-crypt", "rustls", "openssl", "acl-rule", "http", "route", "async-log"] } +g3-types = { workspace = true, features = ["auth-crypt", "openssl", "rustls", "acl-rule", "http", "route", "async-log"] } g3-tls-ticket = { workspace = true, features = ["yaml"] } g3-udpdump = { workspace = true, features = ["yaml"] } g3-xcrypt.workspace = true @@ -100,7 +100,7 @@ tokio-stream.workspace = true g3-build-env.workspace = true [features] -default = ["lua54", "python", "c-ares", "hickory", "quic"] +default = ["lua54", "python", "c-ares", "hickory", "quic", "rustls-ring"] lua = ["mlua"] luajit = ["lua", "mlua/luajit"] lua51 = ["lua", "mlua/lua51"] @@ -110,7 +110,8 @@ python = ["pyo3"] c-ares = ["g3-resolver/c-ares"] hickory = ["g3-resolver/hickory"] quic = ["g3-daemon/quic", "g3-resolver/quic", "g3-yaml/quinn", "g3-types/quinn", "g3-dpi/quic", "dep:quinn"] -rustls-aws-lc = ["rustls/aws-lc-rs"] +rustls-ring = ["g3-types/rustls-ring", "rustls/ring", "quinn?/rustls-ring"] +rustls-aws-lc = ["g3-types/rustls-aws-lc", "rustls/aws-lc-rs", "quinn?/rustls-aws-lc-rs"] vendored-openssl = ["openssl/vendored", "openssl-probe"] vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-yaml/tongsuo", "g3-json/tongsuo", "g3-cert-agent/tongsuo"] vendored-aws-lc = ["rustls-aws-lc", "openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-openssl/aws-lc"] diff --git a/g3proxy/debian/rules b/g3proxy/debian/rules index d4d037805..ddf120733 100755 --- a/g3proxy/debian/rules +++ b/g3proxy/debian/rules @@ -17,7 +17,7 @@ override_dh_auto_clean: override_dh_auto_build: G3_PACKAGE_VERSION=$(DEB_VERSION) \ cargo build --frozen --profile $(BUILD_PROFILE) \ - --no-default-features --features $(LUA_FEATURE),$(SSL_FEATURE),quic,$(CARES_FEATURE),hickory \ + --no-default-features --features $(LUA_FEATURE),$(SSL_FEATURE),rustls-ring,quic,$(CARES_FEATURE),hickory \ --package g3proxy --package g3proxy-ctl --package g3proxy-lua cargo build --frozen --profile $(BUILD_PROFILE) --package g3proxy-ftp sh $(PACKAGE_NAME)/service/generate_systemd.sh diff --git a/g3proxy/docker/alpine.Dockerfile b/g3proxy/docker/alpine.Dockerfile index fb619ffd3..825de9dda 100644 --- a/g3proxy/docker/alpine.Dockerfile +++ b/g3proxy/docker/alpine.Dockerfile @@ -4,7 +4,7 @@ COPY . . RUN apk add --no-cache musl-dev cmake capnproto-dev openssl-dev c-ares-dev ENV RUSTFLAGS="-Ctarget-feature=-crt-static" RUN cargo build --profile release-lto \ - --no-default-features --features quic,c-ares,hickory \ + --no-default-features --features rustls-ring,quic,c-ares,hickory \ -p g3proxy -p g3proxy-ctl FROM alpine:latest diff --git a/g3proxy/docker/debian.Dockerfile b/g3proxy/docker/debian.Dockerfile index c4ebdbdf7..8a25e4e58 100644 --- a/g3proxy/docker/debian.Dockerfile +++ b/g3proxy/docker/debian.Dockerfile @@ -3,7 +3,7 @@ WORKDIR /usr/src/g3 COPY . . RUN apt-get update && apt-get install -y libclang-dev cmake capnproto RUN cargo build --profile release-lto \ - --no-default-features --features vendored-boringssl,quic,vendored-c-ares,hickory \ + --no-default-features --features vendored-boringssl,rustls-ring,quic,vendored-c-ares,hickory \ -p g3proxy -p g3proxy-ctl FROM debian:bookworm-slim diff --git a/g3proxy/docker/lua.alpine.Dockerfile b/g3proxy/docker/lua.alpine.Dockerfile index 001518fc1..ca46c711b 100644 --- a/g3proxy/docker/lua.alpine.Dockerfile +++ b/g3proxy/docker/lua.alpine.Dockerfile @@ -11,7 +11,7 @@ RUN apk add --no-cache musl-dev cmake capnproto-dev openssl-dev c-ares-dev lua5. ENV PKG_CONFIG_PATH=/usr/lib/pkgconfig ENV RUSTFLAGS="-Ctarget-feature=-crt-static" RUN cargo build --profile release-lto \ - --no-default-features --features quic,c-ares,hickory,lua54 \ + --no-default-features --features rustls-ring,quic,c-ares,hickory,lua54 \ -p g3proxy -p g3proxy-ctl -p g3proxy-lua FROM alpine:latest diff --git a/g3proxy/g3proxy.spec b/g3proxy/g3proxy.spec index dab8b919a..3c822fa7d 100644 --- a/g3proxy/g3proxy.spec +++ b/g3proxy/g3proxy.spec @@ -43,7 +43,7 @@ LUA_FEATURE=lua$LUA_VERSION SSL_FEATURE=$(sh scripts/package/detect_openssl_feature.sh) CARES_FEATURE=$(sh scripts/package/detect_c-ares_feature.sh) export CMAKE="%{cmake_real}" -cargo build --frozen --profile %{build_profile} --no-default-features --features $LUA_FEATURE,$SSL_FEATURE,quic,$CARES_FEATURE,hickory --package g3proxy --package g3proxy-ctl --package g3proxy-lua +cargo build --frozen --profile %{build_profile} --no-default-features --features $LUA_FEATURE,$SSL_FEATURE,rustls-ring,quic,$CARES_FEATURE,hickory --package g3proxy --package g3proxy-ctl --package g3proxy-lua cargo build --frozen --profile %{build_profile} --package g3proxy-ftp sh %{name}/service/generate_systemd.sh diff --git a/g3proxy/src/main.rs b/g3proxy/src/main.rs index f3f3efed3..5263febf5 100644 --- a/g3proxy/src/main.rs +++ b/g3proxy/src/main.rs @@ -30,7 +30,7 @@ fn main() -> anyhow::Result<()> { rustls::crypto::aws_lc_rs::default_provider() .install_default() .unwrap(); - #[cfg(not(feature = "rustls-aws-lc"))] + #[cfg(feature = "rustls-ring")] rustls::crypto::ring::default_provider() .install_default() .unwrap(); diff --git a/g3tiles/Cargo.toml b/g3tiles/Cargo.toml index 1625c47ab..8a835de42 100644 --- a/g3tiles/Cargo.toml +++ b/g3tiles/Cargo.toml @@ -58,9 +58,10 @@ g3tiles-proto = { path = "proto" } g3-build-env.workspace = true [features] -default = ["quic"] +default = ["quic", "rustls-ring"] quic = ["g3-daemon/quic", "g3-yaml/quinn", "g3-types/quinn", "dep:quinn"] -rustls-aws-lc = ["rustls/aws-lc-rs"] +rustls-ring = ["g3-types/rustls-ring", "rustls/ring", "quinn?/rustls-ring"] +rustls-aws-lc = ["g3-types/rustls-aws-lc", "rustls/aws-lc-rs", "quinn?/rustls-aws-lc-rs"] vendored-openssl = ["openssl/vendored", "openssl-probe"] vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-yaml/tongsuo", "g3-types/tongsuo"] vendored-aws-lc = ["rustls-aws-lc", "openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-openssl/aws-lc"] diff --git a/g3tiles/debian/rules b/g3tiles/debian/rules index 9502a1c10..1bb9408f3 100755 --- a/g3tiles/debian/rules +++ b/g3tiles/debian/rules @@ -15,7 +15,7 @@ override_dh_auto_clean: override_dh_auto_build: G3_PACKAGE_VERSION=$(DEB_VERSION) \ cargo build --frozen --offline --profile $(BUILD_PROFILE) \ - --no-default-features --features $(SSL_FEATURE),quic \ + --no-default-features --features $(SSL_FEATURE),rustls-ring,quic \ --package g3tiles --package g3tiles-ctl sh $(PACKAGE_NAME)/service/generate_systemd.sh diff --git a/g3tiles/g3tiles.spec b/g3tiles/g3tiles.spec index ab0ac287d..00227d2c8 100644 --- a/g3tiles/g3tiles.spec +++ b/g3tiles/g3tiles.spec @@ -37,7 +37,7 @@ Generic reverse proxy for G3 Project G3_PACKAGE_VERSION="%{version}-%{release}" export G3_PACKAGE_VERSION SSL_FEATURE=$(sh scripts/package/detect_openssl_feature.sh) -cargo build --frozen --offline --profile %{build_profile} --no-default-features --features $SSL_FEATURE,quic --package g3tiles --package g3tiles-ctl +cargo build --frozen --offline --profile %{build_profile} --no-default-features --features $SSL_FEATURE,rustls-ring,quic --package g3tiles --package g3tiles-ctl sh %{name}/service/generate_systemd.sh diff --git a/lib/g3-build-env/src/rustls.rs b/lib/g3-build-env/src/rustls.rs index 3a3d426df..90a9adfd0 100644 --- a/lib/g3-build-env/src/rustls.rs +++ b/lib/g3-build-env/src/rustls.rs @@ -17,10 +17,10 @@ use std::env; pub fn check_rustls_provider() { - let provider = if env::var("CARGO_FEATURE_RUSTLS_AWS_LC").is_ok() { - "aws-lc" - } else { - "ring" - }; - println!("cargo:rustc-env=G3_RUSTLS_PROVIDER={provider}"); + if env::var("CARGO_FEATURE_RUSTLS_RING").is_ok() { + println!("cargo:rustc-env=G3_RUSTLS_PROVIDER=ring"); + } + if env::var("CARGO_FEATURE_RUSTLS_AWS_LC").is_ok() { + println!("cargo:rustc-env=G3_RUSTLS_PROVIDER=aws-lc"); + } } diff --git a/lib/g3-msgpack/Cargo.toml b/lib/g3-msgpack/Cargo.toml index f1ba06f91..ee22623d7 100644 --- a/lib/g3-msgpack/Cargo.toml +++ b/lib/g3-msgpack/Cargo.toml @@ -13,7 +13,6 @@ rmpv.workspace = true uuid.workspace = true atoi.workspace = true chrono = { workspace = true, features = ["std"] } -rustls = { workspace = true, optional = true } rustls-pki-types = { workspace = true, optional = true, features = ["std"] } openssl = { workspace = true, optional = true } ip_network = { workspace = true, optional = true } @@ -22,6 +21,6 @@ g3-geoip-types = { workspace = true, optional = true } [features] default = [] -rustls = ["g3-types/rustls", "dep:rustls", "dep:rustls-pki-types"] +rustls = ["g3-types/rustls", "dep:rustls-pki-types"] openssl = ["g3-types/openssl", "dep:openssl"] geoip = ["dep:g3-geoip-types", "dep:ip_network"] diff --git a/lib/g3-types/Cargo.toml b/lib/g3-types/Cargo.toml index a3b3b3c54..a09e2737e 100644 --- a/lib/g3-types/Cargo.toml +++ b/lib/g3-types/Cargo.toml @@ -59,10 +59,12 @@ quic = [] auth-crypt = ["dep:digest", "dep:md-5", "dep:sha-1", "dep:blake3", "dep:hex"] resolve = ["dep:radix_trie", "dep:fastrand"] quinn = ["dep:quinn", "quic"] -rustls = ["dep:rustls", "dep:rustls-pki-types", "dep:webpki-roots", "dep:rustls-native-certs", "dep:lru", "quinn?/rustls"] +rustls = ["dep:rustls", "dep:rustls-pki-types", "dep:webpki-roots", "dep:rustls-native-certs", "dep:lru"] +rustls-ring = ["rustls", "rustls/ring", "quinn?/rustls-ring"] +rustls-aws-lc = ["rustls", "rustls/aws-lc-rs", "quinn?/rustls-aws-lc-rs"] openssl = ["dep:openssl", "dep:lru", "dep:bytes"] tongsuo = ["openssl", "openssl/tongsuo", "dep:brotli"] -aws-lc = ["openssl", "openssl/aws-lc", "rustls?/aws-lc-rs", "dep:brotli"] +aws-lc = ["openssl", "openssl/aws-lc", "dep:brotli"] boringssl = ["openssl", "openssl/boringssl", "dep:brotli"] acl-rule = ["resolve", "dep:ip_network", "dep:ip_network_table", "dep:regex", "dep:radix_trie"] http = ["dep:http", "dep:bytes", "dep:base64"] diff --git a/lib/g3-types/src/net/rustls/cert_resolver.rs b/lib/g3-types/src/net/rustls/cert_resolver.rs index 2920303b5..339b11640 100644 --- a/lib/g3-types/src/net/rustls/cert_resolver.rs +++ b/lib/g3-types/src/net/rustls/cert_resolver.rs @@ -17,10 +17,7 @@ use std::sync::Arc; use anyhow::anyhow; -#[cfg(feature = "aws-lc")] -use rustls::crypto::aws_lc_rs::sign::any_supported_type; -#[cfg(not(feature = "aws-lc"))] -use rustls::crypto::ring::sign::any_supported_type; +use rustls::crypto::CryptoProvider; use rustls::server::{ClientHello, ResolvesServerCert}; use rustls::sign::CertifiedKey; @@ -39,7 +36,12 @@ impl MultipleCertResolver { } pub fn push_cert_pair(&mut self, pair: &RustlsCertificatePair) -> anyhow::Result<()> { - let signing_key = any_supported_type(pair.key_ref()) + let Some(provider) = CryptoProvider::get_default() else { + return Err(anyhow!("no rustls provider registered")); + }; + let signing_key = provider + .key_provider + .load_private_key(pair.key_owned()) .map_err(|e| anyhow!("failed to add cert pair: {e}"))?; let ck = CertifiedKey::new(pair.certs_owned(), signing_key); self.keys.push(Arc::new(ck)); diff --git a/lib/g3-types/src/net/rustls/ext.rs b/lib/g3-types/src/net/rustls/ext.rs index 6fd4f0709..d56c903cc 100644 --- a/lib/g3-types/src/net/rustls/ext.rs +++ b/lib/g3-types/src/net/rustls/ext.rs @@ -16,11 +16,6 @@ use std::sync::Arc; -use anyhow::anyhow; -#[cfg(feature = "aws-lc")] -use rustls::crypto::aws_lc_rs::Ticketer; -#[cfg(not(feature = "aws-lc"))] -use rustls::crypto::ring::Ticketer; use rustls::server::{NoServerSessionStorage, ProducesTickets}; use rustls::{ClientConnection, HandshakeKind, ServerConfig, ServerConnection}; @@ -72,13 +67,12 @@ impl RustlsServerConfigExt for ServerConfig { ticketer: Option>, ) -> anyhow::Result<()> { if enable { + self.send_tls13_tickets = 2; if let Some(ticketer) = ticketer { self.ticketer = ticketer; } else { - self.ticketer = Ticketer::new() - .map_err(|e| anyhow!("failed to create session ticketer: {e}"))?; + set_default_session_ticketer(self)?; } - self.send_tls13_tickets = 2; } else { self.ticketer = Arc::new(RustlsNoSessionTicketer {}); self.send_tls13_tickets = 0; @@ -86,3 +80,27 @@ impl RustlsServerConfigExt for ServerConfig { Ok(()) } } + +#[cfg(feature = "rustls-aws-lc")] +fn set_default_session_ticketer(config: &mut ServerConfig) -> anyhow::Result<()> { + use anyhow::anyhow; + + config.ticketer = rustls::crypto::aws_lc_rs::Ticketer::new() + .map_err(|e| anyhow!("failed to create session ticketer: {e}"))?; + Ok(()) +} + +#[cfg(all(feature = "rustls-ring", not(feature = "rustls-aws-lc")))] +fn set_default_session_ticketer(config: &mut ServerConfig) -> anyhow::Result<()> { + use anyhow::anyhow; + + config.ticketer = rustls::crypto::ring::Ticketer::new() + .map_err(|e| anyhow!("failed to create session ticketer: {e}"))?; + Ok(()) +} + +#[cfg(not(any(feature = "rustls-aws-lc", feature = "rustls-ring")))] +fn set_default_session_ticketer(config: &mut ServerConfig) -> anyhow::Result<()> { + config.send_tls13_tickets = 0; + Ok(()) +}