chore(tls): Remove ring as crypto backend

The broader ecosystem has mostly moved to aws-lc-rs as the primary rustls backend, and we should follow suit. This will also simplify the maintenance of the proxy's TLS implementation in the long term.

There will need to be some refactoring to clean up the rustls provider interfaces, but that will come in follow-ups.

Signed-off-by: Scott Fleener <[email protected]>

Author: sfleen

Cargo.lock

@@ -3753,7 +3753,6 @@ dependencies = [
  "aws-lc-rs",
  "log",
  "once_cell",
- "ring",
  "rustls-pki-types",
  "rustls-webpki",
  "subtle",

deny.toml

@@ -23,11 +23,6 @@ allow = [
 private = { ignore = true }
 confidence-threshold = 0.8
 exceptions = [
-    { allow = [
-        "ISC",
-        "MIT",
-        "OpenSSL",
-    ], name = "ring", version = "*" },
     { allow = [
         "ISC",
         "OpenSSL",
@@ -38,14 +33,6 @@ exceptions = [
     ], name = "aws-lc-fips-sys", version = "*" },
 ]
 
-[[licenses.clarify]]
-name = "ring"
-version = "*"
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
-]
-
 [bans]
 multiple-versions = "deny"
 # Wildcard dependencies are used for all workspace-local crates.
@@ -55,6 +42,8 @@ deny = [
     { name = "rustls", wrappers = ["tokio-rustls"] },
     # rustls-webpki should be used instead.
     { name = "webpki" },
+    # aws-lc-rs should be used instead.
+    { name = "ring" }
 ]
 skip = [
     # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64`

linkerd/meshtls/Cargo.toml

@@ -8,9 +8,7 @@ publish = { workspace = true }
 
 [features]
 rustls = ["linkerd-meshtls-rustls", "__has_any_tls_impls"]
-rustls-aws-lc = ["rustls", "linkerd-meshtls-rustls/aws-lc"]
-rustls-aws-lc-fips = ["rustls-aws-lc", "linkerd-meshtls-rustls/aws-lc-fips"]
-rustls-ring = ["rustls", "linkerd-meshtls-rustls/ring"]
+rustls-fips = ["linkerd-meshtls-rustls/fips"]
 boring = ["linkerd-meshtls-boring", "__has_any_tls_impls"]
 boring-fips = ["boring", "linkerd-meshtls-boring/fips"]
 # Enabled if *any* TLS impl is enabled.

linkerd/meshtls/rustls/Cargo.toml

@@ -7,19 +7,16 @@ edition = "2018"
 publish = { workspace = true }
 
 [features]
-default = ["aws-lc"]
-ring = ["tokio-rustls/ring", "rustls-webpki/ring"]
-aws-lc = ["tokio-rustls/aws-lc-rs", "rustls-webpki/aws-lc-rs"]
-aws-lc-fips = ["aws-lc", "tokio-rustls/fips"]
+fips = ["tokio-rustls/fips"]
 test-util = ["linkerd-tls-test-util"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
 rustls-pemfile = "2.2"
-rustls-webpki = { version = "0.103.4", default-features = false, features = ["std"] }
+rustls-webpki = { version = "0.103.4", default-features = false, features = ["std", "aws-lc-rs"] }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
-tokio-rustls = { workspace = true }
+tokio-rustls = { workspace = true, features = ["aws-lc-rs"] }
 tracing = { workspace = true }
 
 linkerd-dns-name = { path = "../../dns/name" }

linkerd/meshtls/rustls/src/backend.rs

@@ -1,16 +1,3 @@
-#[cfg(all(feature = "aws-lc", feature = "ring"))]
-compile_error!(
-    "Multiple rustls backends enabled. Enabled one of the \"ring\" or \"aws-lc\" features"
-);
-#[cfg(not(any(feature = "aws-lc", feature = "ring")))]
-compile_error!("No rustls backend enabled. Enabled one of the \"ring\" or \"aws-lc\" features");
+pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};
 
-#[cfg(feature = "aws-lc")]
 mod aws_lc;
-#[cfg(feature = "ring")]
-mod ring;
-
-#[cfg(feature = "aws-lc")]
-pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};
-#[cfg(feature = "ring")]
-pub use ring::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};

linkerd/meshtls/rustls/src/backend/aws_lc.rs

@@ -4,14 +4,14 @@ use tokio_rustls::rustls::{
     crypto::{aws_lc_rs, WebPkiSupportedAlgorithms},
 };
 
-#[cfg(not(feature = "aws-lc-fips"))]
+#[cfg(not(feature = "fips"))]
 pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
     aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,
     aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
     aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
 ];
 // Prefer aes-256-gcm if fips is enabled
-#[cfg(feature = "aws-lc-fips")]
+#[cfg(feature = "fips")]
 pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
     aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
     aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,

linkerd/meshtls/rustls/src/backend/ring.rs

@@ -8,12 +8,11 @@ publish = { workspace = true }
 description = "The main proxy executable"
 
 [features]
-default = ["meshtls-rustls-aws-lc"]
+default = ["meshtls-rustls"]
 meshtls-boring = ["linkerd-meshtls/boring"]
 meshtls-boring-fips = ["linkerd-meshtls/boring-fips"]
-meshtls-rustls-aws-lc = ["linkerd-meshtls/rustls-aws-lc"]
-meshtls-rustls-aws-lc-fips = ["linkerd-meshtls/rustls-aws-lc-fips"]
-meshtls-rustls-ring = ["linkerd-meshtls/rustls-ring"]
+meshtls-rustls = ["linkerd-meshtls/rustls"]
+meshtls-rustls-fips = ["linkerd-meshtls/rustls-fips"]
 log-streaming = ["linkerd-app/log-streaming"]
 pprof = ["linkerd-app/pprof"]
 # From https://github.com/polarsignals/rust-jemalloc-pprof/blob/bcf1ad7f7ad3ec8e71098f4d5a9ce55905c7a602/README.md#usage

linkerd2-proxy/Cargo.toml

@@ -6,12 +6,7 @@
 
 // Emit a compile-time error if no TLS implementations are enabled. When adding
 // new implementations, add their feature flags here!
-#[cfg(not(any(
-    feature = "meshtls-boring",
-    feature = "meshtls-rustls-ring",
-    feature = "meshtls-rustls-aws-lc",
-    feature = "meshtls-rustls-aws-lc-fips"
-)))]
+#[cfg(not(any(feature = "meshtls-boring", feature = "meshtls-rustls",)))]
 compile_error!(
     "at least one of the following TLS implementations must be enabled: 'meshtls-boring', 'meshtls-rustls'"
 );