support for aws-lc-rs/fips rustls-crypto-backend via cargo features

BiagioFesta · Nov 21, 2024 · 68d6993 · 68d6993
1 parent 448e1ab
commit 68d6993
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/wtransport/Cargo.toml b/wtransport/Cargo.toml
@@ -31,9 +31,9 @@ required-features = ["self-signed"]
 [dependencies]
 bytes = "1.4.0"
 pem = "3.0.4"
-quinn = { version = "0.11.5", default-features = false, features = ["runtime-tokio", "rustls"] }
+quinn = { version = "0.11.6", default-features = false, features = ["runtime-tokio"] }
 rcgen = { version = "0.13.1", optional = true }
-rustls = { version = "0.23.12", default-features = false, features = ["ring"] }
+rustls = { version = "0.23.12", default-features = false }
 rustls-native-certs = "0.8.0"
 rustls-pemfile = "2.1.3"
 rustls-pki-types = "1.8.0"
@@ -55,10 +55,14 @@ tokio = { version = "1.28.1", default-features = false, features = ["rt-multi-th
 tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
 
 [features]
-default = ["self-signed"]
+default = ["self-signed", "ring"]
+aws-lc-rs = ["quinn/aws-lc-rs", "quinn/rustls-aws-lc-rs", "rustls/aws-lc-rs"]
+aws-lc-rs-fips = ["quinn/aws-lc-rs-fips", "quinn/rustls-aws-lc-rs-fips", "rustls/fips"]
 dangerous-configuration = []
+fips = ["aws-lc-rs-fips"]
 quinn = []
 quinn-log = ["quinn/log"]
+ring = ["quinn/ring", "quinn/rustls", "rustls/ring"]
 self-signed = ["dep:rcgen"]
 
 [package.metadata.docs.rs]

diff --git a/wtransport/src/tls.rs b/wtransport/src/tls.rs
@@ -587,6 +587,18 @@ pub fn build_native_cert_store() -> RootCertStore {
     root_store
 }
 
+fn default_crypto_provider() -> rustls::crypto::CryptoProvider {
+    #[cfg(feature = "ring")]
+    {
+        rustls::crypto::ring::default_provider()
+    }
+
+    #[cfg(not(feature = "ring"))]
+    {
+        rustls::crypto::aws_lc_rs::default_provider()
+    }
+}
+
 /// TLS configurations and utilities server-side.
 pub mod server {
     use super::*;
@@ -692,8 +704,7 @@ pub mod client {
         /// Creates a new instance of `NoServerVerification`.
         pub fn new() -> NoServerVerification {
             NoServerVerification {
-                supported_algorithms: rustls::crypto::ring::default_provider()
-                    .signature_verification_algorithms,
+                supported_algorithms: default_crypto_provider().signature_verification_algorithms,
             }
         }
     }
@@ -772,8 +783,7 @@ pub mod client {
 
             Self {
                 hashes: BTreeSet::from_iter(hashes),
-                supported_algorithms: rustls::crypto::ring::default_provider()
-                    .signature_verification_algorithms,
+                supported_algorithms: default_crypto_provider().signature_verification_algorithms,
             }
         }