chore(tls): Remove ring as rustls crypto backend

Cargo.lock

@@ -3753,7 +3753,6 @@ dependencies = [
  "aws-lc-rs",
  "log",
  "once_cell",
- "ring",
  "rustls-pki-types",
  "rustls-webpki",
  "subtle",

deny.toml

@@ -23,11 +23,6 @@ allow = [
 private = { ignore = true }
 confidence-threshold = 0.8
 exceptions = [
-    { allow = [
-        "ISC",
-        "MIT",
-        "OpenSSL",
-    ], name = "ring", version = "*" },
     { allow = [
         "ISC",
         "OpenSSL",
@@ -38,14 +33,6 @@ exceptions = [
     ], name = "aws-lc-fips-sys", version = "*" },
 ]
 
-[[licenses.clarify]]
-name = "ring"
-version = "*"
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
-]
-
 [bans]
 multiple-versions = "deny"
 # Wildcard dependencies are used for all workspace-local crates.
@@ -55,6 +42,8 @@ deny = [
     { name = "rustls", wrappers = ["tokio-rustls"] },
     # rustls-webpki should be used instead.
     { name = "webpki" },
+    # aws-lc-rs should be used instead.
+    { name = "ring" }
 ]
 skip = [
     # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64`

linkerd/meshtls/Cargo.toml

@@ -8,9 +8,7 @@ publish = { workspace = true }
 
 [features]
 rustls = ["linkerd-meshtls-rustls", "__has_any_tls_impls"]
-rustls-aws-lc = ["rustls", "linkerd-meshtls-rustls/aws-lc"]
-rustls-aws-lc-fips = ["rustls-aws-lc", "linkerd-meshtls-rustls/aws-lc-fips"]
-rustls-ring = ["rustls", "linkerd-meshtls-rustls/ring"]
+rustls-fips = ["linkerd-meshtls-rustls/fips"]
 boring = ["linkerd-meshtls-boring", "__has_any_tls_impls"]
 boring-fips = ["boring", "linkerd-meshtls-boring/fips"]
 # Enabled if *any* TLS impl is enabled.

linkerd/meshtls/rustls/Cargo.toml

@@ -7,19 +7,16 @@ edition = "2018"
 publish = { workspace = true }
 
 [features]
-default = ["aws-lc"]
-ring = ["tokio-rustls/ring", "rustls-webpki/ring"]
-aws-lc = ["tokio-rustls/aws-lc-rs", "rustls-webpki/aws-lc-rs"]
-aws-lc-fips = ["aws-lc", "tokio-rustls/fips"]
+fips = ["tokio-rustls/fips"]
 test-util = ["linkerd-tls-test-util"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
 rustls-pemfile = "2.2"
-rustls-webpki = { version = "0.103.4", default-features = false, features = ["std"] }
+rustls-webpki = { version = "0.103.4", default-features = false, features = ["std", "aws-lc-rs"] }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
-tokio-rustls = { workspace = true }
+tokio-rustls = { workspace = true, features = ["aws-lc-rs"] }
 tracing = { workspace = true }
 
 linkerd-dns-name = { path = "../../dns/name" }

linkerd/meshtls/rustls/src/backend.rs

@@ -1,16 +1,3 @@
-#[cfg(all(feature = "aws-lc", feature = "ring"))]
-compile_error!(
-    "Multiple rustls backends enabled. Enabled one of the \"ring\" or \"aws-lc\" features"
-);
-#[cfg(not(any(feature = "aws-lc", feature = "ring")))]
-compile_error!("No rustls backend enabled. Enabled one of the \"ring\" or \"aws-lc\" features");
+pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};
 
-#[cfg(feature = "aws-lc")]
 mod aws_lc;
-#[cfg(feature = "ring")]
-mod ring;
-
-#[cfg(feature = "aws-lc")]
-pub use aws_lc::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};
-#[cfg(feature = "ring")]
-pub use ring::{default_provider, SUPPORTED_SIG_ALGS, TLS_SUPPORTED_CIPHERSUITES};

linkerd/meshtls/rustls/src/backend/aws_lc.rs

@@ -4,14 +4,14 @@ use tokio_rustls::rustls::{
     crypto::{aws_lc_rs, WebPkiSupportedAlgorithms},
 };
 
-#[cfg(not(feature = "aws-lc-fips"))]
+#[cfg(not(feature = "fips"))]
 pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
     aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,
     aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
     aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
 ];
 // Prefer aes-256-gcm if fips is enabled
-#[cfg(feature = "aws-lc-fips")]
+#[cfg(feature = "fips")]
 pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
     aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
     aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,

linkerd2-proxy/Cargo.toml

@@ -8,12 +8,11 @@ publish = { workspace = true }
 description = "The main proxy executable"
 
 [features]
-default = ["meshtls-rustls-aws-lc"]
+default = ["meshtls-rustls"]
 meshtls-boring = ["linkerd-meshtls/boring"]
 meshtls-boring-fips = ["linkerd-meshtls/boring-fips"]
-meshtls-rustls-aws-lc = ["linkerd-meshtls/rustls-aws-lc"]
-meshtls-rustls-aws-lc-fips = ["linkerd-meshtls/rustls-aws-lc-fips"]
-meshtls-rustls-ring = ["linkerd-meshtls/rustls-ring"]
+meshtls-rustls = ["linkerd-meshtls/rustls"]
+meshtls-rustls-fips = ["linkerd-meshtls/rustls-fips"]
 log-streaming = ["linkerd-app/log-streaming"]
 pprof = ["linkerd-app/pprof"]
 # From https://github.com/polarsignals/rust-jemalloc-pprof/blob/bcf1ad7f7ad3ec8e71098f4d5a9ce55905c7a602/README.md#usage

linkerd2-proxy/src/main.rs

@@ -6,12 +6,7 @@
 
 // Emit a compile-time error if no TLS implementations are enabled. When adding
 // new implementations, add their feature flags here!
-#[cfg(not(any(
-    feature = "meshtls-boring",
-    feature = "meshtls-rustls-ring",
-    feature = "meshtls-rustls-aws-lc",
-    feature = "meshtls-rustls-aws-lc-fips"
-)))]
+#[cfg(not(any(feature = "meshtls-boring", feature = "meshtls-rustls",)))]
 compile_error!(
     "at least one of the following TLS implementations must be enabled: 'meshtls-boring', 'meshtls-rustls'"
 );