Remove use of unapproved crypto libraries

[Porges]

To comply with Microsoft security policies, we must use only approved crypto libraries.

Notably, ring is not on the approved libraries list. We should use the platform crypto libraries instead. The official guidance is:

• on Windows, schannel and friends
• on Linux, the OpenSSL 1.1.1 series if available, otherwise OpenSSL 3.0. OpenSSL must be dynamically and not statically linked so that distro-provided updates can be used.

Following these guidelines strictly would mean that we have to build distro/version specific binaries for Linux. Instead we have an exception which allows us to statically link against the OpenSSL 1.1.1 series, allowing us to have a (somewhat) portable binary.

OpenSSL 1.1.1. can be statically linked by switching to the native-tls-vendored feature of reqwest. (Verified by inspection that ring and rustls are no longer in Cargo.lock files.)

So the result is:

• on Windows, we use schannel
• on Linux we statically link against 1.1.1

It is up to us to ensure we keep up-to-date with OpenSSL issues and releases. The version can be checked by looking at the version of openssl-src that we depend upon. Currently this is 111.22.0+1.1.1q. This is the latest version; also check the Vulnerabilities page.

---

Verified by inspection that rustls and ring are no longer present in Cargo.lock.

Current dynamic library dependencies are:

$ ldd ./onefuzz-agent 
        linux-vdso.so.1 (0x00007ffd9ba60000)
        libunwind.so.8 => /lib/x86_64-linux-gnu/libunwind.so.8 (0x00007ff5ab5e5000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007ff5ac1d1000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff5ac1cc000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff5ab4fe000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff5ac1c7000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff5ab2d4000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ff5ac1dc000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007ff5ab2a9000)

[codecov-commenter]

Codecov Report

Merging #2423 (0e3b4be) into main (c46c6be) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2423   +/-   ##
=======================================
  Coverage   29.98%   29.98%           
=======================================
  Files         289      289           
  Lines       35504    35504           
=======================================
  Hits        10645    10645           
  Misses      24859    24859           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.