Replace ring with aws-lc-rs#2112
Conversation
faern
force-pushed
the
replace-ring-with-aws-lc-rs
branch
2 times, most recently
from
19e7cb2 to
691923b
Compare
|
I believe the only thing left here before marking the PR as ready for review, is a published release of Or do you want the |
|
Since I didn't make I am still working on refactoring the project. After that please update this PR with the latest master. |
Switches the cryptographic backend so that ring is no longer pulled into shadowsocks-rust on any supported target. * shadowsocks-crypto: use the new faster-crypto feature (aws-lc-rs) in place of the now removed ring feature, and patch crates-io to the local crate while a release with this change is unpublished. * tokio-rustls: select the aws_lc_rs provider instead of ring. * hickory-resolver: use tls-aws-lc-rs, https-aws-lc-rs and h3-aws-lc-rs in place of the *-ring variants. Verified with cargo tree -i ring on x86_64-unknown-linux-gnu, aarch64-apple-darwin and x86_64-pc-windows-msvc that ring is no longer reachable. The only remaining ring path is via quinn-proto on wasm32-unknown-unknown, which aws-lc-rs cannot target and which shadowsocks does not support.
faern
force-pushed
the
replace-ring-with-aws-lc-rs
branch
from
691923b to
288afba
Compare
|
Yes, the ring features on Good luck with the refactoring. I hope you are not aiming to do too big stuff, that might stall a ring-free release 🙏. I will rebase this when I see updates. |
2 participants
Ring is unmaintained. Even if there are no known vulnerabilities in it it's a risk to depend on it. Since it's unmaintained it probably gets fewer eyes on it studying if it's correctly implemented. If something bad is found in
ringit's going to be harder to patch compared to if we use a more maintained crypto implementation.aws-lc-rsis more maintained and seems to be what most move towards.aws-lc-rsexpose more cryptographic primitives, thatringdoes not have. Even ifshadowsocksitself does not need these newer things, downstream users ofshadowsocksmight (we are one of those!) and they probably don't want to have both ring and aws-lc-rs in their dependency trees as it blows up both compile time and binary size.Luckily it seems pretty easy to migrate all of shadowsocks to aws-lc-rs, as you can see in this PR. It just depends on shadowsocks/shadowsocks-crypto#24 being merged and published first.
I have not tested this on Windows myself. I hope the CI is good enough.
This PR builds on top of #2111. Because I wanted the CI to be as clean as possible in order to catch any issues this PR might introduce. So please merge that cleanup PR first, then I can rebase this.