Use aws_lc_rs instead of ring to check for supported key type #2758
Conversation
Alvenix
force-pushed
the
use_aws_lc_rs
branch
2 times, most recently
from
a4562bd to
ec945fb
Compare
|
As it stands, aws-lc-rs is much more onerous to build than ring (NASM + cmake). I think until it's as easy to build, we should stick with ring. |
Yes I agree. If only there was a way to to support both and let the user choose. In stable Rust, this is only possible by adding additional features to rocket which is probably unnecessary complexity. Thankfully it is easy to patch dependencies in Rust for those who needs to. |
I'm not opposed to adding some features here. IE adding tls-ring and tls-aws-lc, and having tls enable tls-ring by default. The key would be in making these additive: what happens when both are enabled? |
What about having tls-aws-lc override tls-ring? |
|
I added a single feature: tls-aws-lc, ring is enabled by default as it have easier build requirements. Enabling this feature would override ring. Is this approach acceptable? I will try to add documentation and a test (or an example) for the feature. |
Alvenix
force-pushed
the
use_aws_lc_rs
branch
7 times, most recently
from
58d5816 to
efc37b5
Compare
|
I changed the approach to making ring default by rocket, and using CryptoProvider::get_default where possible. This way user of Rocket can specify at runtime (using CryptoProvider::install at the start of the main for example) if they want to change ring. It would have been better if I could remove all ring usage in rocket then the end user would choose by enabling the appropriate feature. The only thing blocking full ring independence is creating a ticketer. I am not really sure how to do that. So currently I am using ring ticketer. There is also the list of supported cipher algorithms but I feel that is easily solvable by adding them to Rocket. However, I feel the current approach is very good. |
|
Right, that's definitely the mechanism we should use. But, other parts of Rocket currently use core/lib/src/listener/tls.rs
62: tls_config.ticketer = rustls::crypto::ring::Ticketer::new()?;
core/lib/src/tls/config.rs
479: use rustls::crypto::ring::cipher_suite;The former is aws_lc_rs::Ticketer. The latter should use aws_lc_rs::ALL_CIPHER_SUITES and aws_lc_rs::DEFAULT_CIPHER_SUITES. |
SergioBenitez
force-pushed
the
use_aws_lc_rs
branch
from
91db193 to
eefeaba
Compare
I left them to use ring intentionally as Rocket enable only ring by default (and disables aws_lc_rs) as it has simpler compilation requirement as you said. It is up to the user to enable aws_ls_rs feature. If the user want Rocket to use aws_lc_rs, he can add the following to the Cargo.toml and main.rs In this commit: even if the user enable aws_lc_rs, he would be only be using ring for the ticketer. I think that is acceptable for my use case as it doesn't effect the more supported signature keys. (I assume that using ring ticketer with aws_lc_rs tls will work, but I will need to verify this) I am actually not sure about the cipher suites, I thought because they had the same names they were internally the same. But I probably have to fix that. I think it would be better to get them dynamically from the CryptoProvider struct as it has array of supported ciphers. |
|
I changed the ciphersuite mapping function to be dynamic instead of using ring or aws_lc_rs feature based on the default crypto provider. Note that the user can provide his own custom crypto provider which may not support the chosen cipher suite, in that case I used expect. The ticketer remain but I feel that is less important (if the code work correctly, but I will test it). If it is important I will check if there is a way. |
I think this would be rather unexpected. Is there a way for a user to "install" a ticketer? Or to get the default ticket from a
We can't have that I think what I'm realizing is that if the user installs a |
I don't think there is currently any one to do so but I opened a feature request in rustls repo for this. |
Alvenix
force-pushed
the
use_aws_lc_rs
branch
2 times, most recently
from
22865cd to
27287ea
Compare
Yes this feel much better. I have pushed this change. Ticketer remain but in my opinion I think it is okay to use ring Ticketer untill rustls support getting it dynamically. |
Alvenix
force-pushed
the
use_aws_lc_rs
branch
2 times, most recently
from
4370e0c to
3a6c031
Compare
|
quic used in Rocket currently use older rustls so I had to use ring parsing for it. Currently windows failed because I added usage of awc-lc-rs in the tls example for testing. Should I make the |
SergioBenitez
force-pushed
the
use_aws_lc_rs
branch
from
e5527e1 to
7ba1f84
Compare
| .into_iter() | ||
| .map(|v| v.to_vec()) | ||
| .map(rustls::Certificate) | ||
| .collect::<Vec<_>>(); | ||
|
|
||
| let key = crate::tls::util::load_key(&mut tls.key_reader().unwrap()) | ||
| .unwrap() | ||
| let key = tls.load_key() |
There was a problem hiding this comment.
When someone use aws-lc-rs CryptoProvider this could load keys that are not supported by older versions of rustls (e.g: P521), so there may be failure later when running the quic server.
I am noting this, because I used boolean before to error early. If a later error is acceptable that is fine but I don't want you to accidentally miss this during review.
There was a problem hiding this comment.
Thanks for the note! That's useful to know. This quic part is temporary. Upstream has already updated rustls, so this whole bit will be gone shortly.
| validate_profiles(DEFAULT_PROFILES); | ||
|
|
||
| #[cfg(unix)] { | ||
| rustls::crypto::aws_lc_rs::default_provider().install_default().unwrap(); |
There was a problem hiding this comment.
This affect the whole process, so it could affect other tests. I am still researching how to separate this test into a standalone process.
There was a problem hiding this comment.
I used integration test to separate the tests. If additional integration tests is needed maybe we can add different test folder using [[test]] in Cargo.toml.
There was a problem hiding this comment.
Right, but at that point it doesn't really matter if it affects the entire process - only other tests in the same crate would be affected. We simply need to test it with the default and then aws-lc, which this test accomplishes. I preferred the approach here, which is nice and short.
There was a problem hiding this comment.
Yes I agree, should I remove the last commit?
"We simply need to test it with the default and then aws-lc, which this test accomplishes." yes but what if this was the first test that was started. Then all the other tests would be tested with aws-lc instead of the default
This commit updates rustls to 0.23 and adds support for custom 'CryptoProvider's installable via 'CryptoProvider::install_default()'. In particular, this enables using `aws-lc-rs` for cryptography related operation in TLS. The 'TLS' example was updated to test use of 'aws-lc-rs' on Unix.
Prior to this commit, some TLS related operations used 'ring' even when a different default 'CryptoProvider' was installed. This commit fixes that by refactoring 'TlsConfig' such that all utility methods are required to use the default 'CryptoProvider'. This commit also cleans up code related to the rustls 0.23 update.
SergioBenitez
force-pushed
the
use_aws_lc_rs
branch
from
22f913f to
94b301f
Compare
SergioBenitez
force-pushed
the
use_aws_lc_rs
branch
from
94b301f to
dc125e4
Compare
Can we change the check for public key from ring to awc_rs_ls? Both depend on features enabled on rustls. Currently awc_rs_ls is the default (on 0.23) and support more keys.
Edit: I probably should try to update rustls to 0.23 first.