Skip to content

feat: add aws-lc-rs feature as alternative crypto backend (ring stays default) #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spongebob888 merged 1 commit into from
May 12, 2026
Merged

feat: add aws-lc-rs feature as alternative crypto backend (ring stays default) #134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 76 additions & 6 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

39 changes: 30 additions & 9 deletions shadowquic/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,27 @@ description = { workspace = true }
license = { workspace = true}
readme = { workspace = true}
[features]
default = ["shadowquic-quinn", "sunnyquic-iroh-quinn"]
default = ["shadowquic-quinn", "sunnyquic-iroh-quinn", "ring"]
ring = [
"dep:ring",
"quinn?/rustls-ring",
"quinn_proto?/rustls-ring",
"rustls_jls?/ring",
"iroh-quinn?/rustls-ring",
"iroh-quinn-proto?/rustls-ring",
"rustls?/ring",
"rcgen/ring",
]
aws-lc-rs = [
"dep:aws-lc-rs",
"quinn?/rustls-aws-lc-rs",
"quinn_proto?/rustls-aws-lc-rs",
"rustls_jls?/aws_lc_rs",
"iroh-quinn?/rustls-aws-lc-rs",
"iroh-quinn-proto?/rustls-aws-lc-rs",
"rustls?/aws-lc-rs",
"rcgen/aws_lc_rs",
]
tokio-console = ["dep:console-subscriber","tokio/tracing"]
shadowquic-quinn = ["dep:quinn","dep:rustls_jls", "dep:quinn_proto"]
sunnyquic-gm-quic = ["dep:gm-quic","dep:qevent","dep:qbase","dep:qunreliable", "dep:rustls","dep:rustls-native-certs","dep:arc-swap","dep:notify"]
Expand All @@ -22,14 +42,14 @@ tokio = {version = "1.49.0", features = ["io-util", "net","rt","macros","rt-mult
tracing = "0.1.44"
time = { version = "0.3.47", features = ["macros", "local-offset"] }
tracing-subscriber = { version = "0.3.22", features = ["env-filter", "fmt", "ansi", "time", "local-time"]}
quinn = { package = "quinn-jls", version = "0.3.3", default-features = false, features = ["runtime-tokio", "rustls-ring"],optional = true}
quinn_proto = { package = "quinn-proto-jls", version = "0.3.3", default-features = false, features = ["rustls-ring"],optional = true}
quinn = { package = "quinn-jls", version = "0.3.3", default-features = false, features = ["runtime-tokio"], optional = true}
quinn_proto = { package = "quinn-proto-jls", version = "0.3.3", default-features = false, optional = true}

#brutal-core = { git = "https://github.com/hrimfaxi/brutal_quinn.git", branch = "master" }
brutal-core = { version = "0.1.0" }
rustls_jls = { package = "rustls-jls", version = "1.3.1", default-features = false, features = ["std","ring"],optional = true}
rustls_jls = { package = "rustls-jls", version = "1.3.1", default-features = false, features = ["std"], optional = true}

rcgen = { version = "0.14", default-features = false, features = ["crypto","ring"] }
rcgen = { version = "0.14", default-features = false, features = ["crypto"] }
bytes = "1.11.0"
async-trait = "0.1.89"
webpki-roots = "1.0.5"
Expand All @@ -44,22 +64,23 @@ gm-quic = { version = "0.4", default-features = false, optional = true}
qevent = { version = "0.4", default-features = false, optional = true}
qbase = { version = "0.4", default-features = false, optional = true}
qunreliable = { version = "0.4", default-features = false, optional = true}
rustls = { version = "0.23", default-features = false, features = ["std","ring"], optional = true}
rustls = { version = "0.23", default-features = false, features = ["std"], optional = true}
rustls-native-certs = {version = "0.8.3", optional = true}

# iroh-quinn = { git = "https://github.com/hrimfaxi/iroh_quinn", branch = "main", package = "noq", optional = true, default-features = false, features = ["rustls-ring", "runtime-tokio"] }
# iroh-quinn-proto = { git = "https://github.com/hrimfaxi/iroh_quinn", branch = "main", package = "noq-proto", optional = true, default-features = false, features = ["rustls-ring"] }

iroh-quinn ={ version = "0.16.1",optional = true, default-features = false, features = ["rustls-ring","runtime-tokio"]}
iroh-quinn-proto ={ version = "0.15.1",optional = true, default-features = false, features = ["rustls-ring"]}
iroh-quinn ={ version = "0.16.1",optional = true, default-features = false, features = ["runtime-tokio"]}
iroh-quinn-proto ={ version = "0.15.1",optional = true, default-features = false}


notify = { version = "8.2.0", features = ["serde"], optional = true}
arc-swap = { version = "1.8.1", optional = true }

console-subscriber = { version = "0.5.0", optional = true }
serde-saphyr = "0.0.18"
ring = "0.17.14"
aws-lc-rs = { version = "1", optional = true, default-features = false }
ring = { version = "0.17.14", optional = true }

[target.'cfg(target_os="android")'.dependencies]
sendfd = { version = "0.4.4", features = ["tokio"] }
Expand Down
13 changes: 8 additions & 5 deletions shadowquic/src/shadowquic/quinn_wrapper/wrapper.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,10 @@ use quinn::rustls::ServerConfig as RustlsServerConfig;

use quinn::crypto::rustls::{QuicClientConfig, QuicServerConfig};

use quinn::rustls::crypto::ring;
#[cfg(feature = "aws-lc-rs")]
use quinn::rustls::crypto::aws_lc_rs as crypto_provider;
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
use quinn::rustls::crypto::ring as crypto_provider;

use crate::{
config::{
Expand Down Expand Up @@ -227,10 +230,10 @@ impl QuicClient for Endpoint {
fn to_quinn_cipher_suite(suite: &CipherSuitePreference) -> quinn::rustls::SupportedCipherSuite {
match suite {
CipherSuitePreference::Chacha20Poly1305 => {
ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256
crypto_provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256
}
CipherSuitePreference::Aes128Gcm => ring::cipher_suite::TLS13_AES_128_GCM_SHA256,
CipherSuitePreference::Aes256Gcm => ring::cipher_suite::TLS13_AES_256_GCM_SHA384,
CipherSuitePreference::Aes128Gcm => crypto_provider::cipher_suite::TLS13_AES_128_GCM_SHA256,
CipherSuitePreference::Aes256Gcm => crypto_provider::cipher_suite::TLS13_AES_256_GCM_SHA384,
}
}

Expand All @@ -244,7 +247,7 @@ pub fn gen_client_cfg(cfg: &ShadowQuicClientCfg) -> quinn::ClientConfig {
let builder = if let Some(cipher_suite_preference) = &cfg.cipher_suite_preference {
let normalized = normalize_cipher_suite_preference(cipher_suite_preference);

let mut provider = ring::default_provider();
let mut provider = crypto_provider::default_provider();
provider.cipher_suites = normalized.iter().map(to_quinn_cipher_suite).collect();

quinn::rustls::ClientConfig::builder_with_provider(Arc::new(provider))
Expand Down
4 changes: 4 additions & 0 deletions shadowquic/src/sunnyquic/dynamic_cert.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,12 @@ impl DynamicCertResolver {
.map_err(|x| SError::RustlsError(x.to_string()))?;

// Create CertifiedKey
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
let key = rustls::crypto::ring::sign::any_supported_type(&priv_key)
.map_err(|_| SError::RustlsError("invalid private key".to_string()))?;
#[cfg(feature = "aws-lc-rs")]
let key = rustls::crypto::aws_lc_rs::sign::any_supported_type(&priv_key)
.map_err(|_| SError::RustlsError("invalid private key".to_string()))?;
let certified_key = CertifiedKey::new(cert_der, key);
Ok(certified_key)
}
Expand Down
13 changes: 8 additions & 5 deletions shadowquic/src/sunnyquic/iroh_wrapper/wrapper.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ use iroh_quinn::{
ClientConfig, MtuDiscoveryConfig, SendDatagramError, TransportConfig, VarInt,
congestion::{BbrConfig, CubicConfig, NewRenoConfig},
};
#[cfg(feature = "aws-lc-rs")]
use rustls::crypto::aws_lc_rs as crypto_provider;
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
use rustls::crypto::ring as crypto_provider;
use rustls::{
RootCertStore,
crypto::ring,
pki_types::{CertificateDer, pem::PemObject},
};
use socket2::{Domain, Protocol, Socket, Type};
Expand Down Expand Up @@ -286,10 +289,10 @@ async fn add_extra_path(
fn to_rustls_cipher_suite(suite: &CipherSuitePreference) -> rustls::SupportedCipherSuite {
match suite {
CipherSuitePreference::Chacha20Poly1305 => {
ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256
crypto_provider::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256
}
CipherSuitePreference::Aes128Gcm => ring::cipher_suite::TLS13_AES_128_GCM_SHA256,
CipherSuitePreference::Aes256Gcm => ring::cipher_suite::TLS13_AES_256_GCM_SHA384,
CipherSuitePreference::Aes128Gcm => crypto_provider::cipher_suite::TLS13_AES_128_GCM_SHA256,
CipherSuitePreference::Aes256Gcm => crypto_provider::cipher_suite::TLS13_AES_256_GCM_SHA384,
}
}

Expand All @@ -312,7 +315,7 @@ pub fn gen_client_cfg(cfg: &SunnyQuicClientCfg) -> iroh_quinn::ClientConfig {

let builder = if let Some(cipher_suite_preference) = &cfg.cipher_suite_preference {
let normalized = normalize_cipher_suite_preference(cipher_suite_preference);
let mut provider = ring::default_provider();
let mut provider = crypto_provider::default_provider();
provider.cipher_suites = normalized.iter().map(to_rustls_cipher_suite).collect();

rustls::ClientConfig::builder_with_provider(Arc::new(provider))
Expand Down
Loading
Loading