feat: add support for aws-lc-rs alongside ring

Author: sshockwave

Cargo.toml

@@ -37,7 +37,7 @@ categories = ["network-programming"]
 rtc = { version = "0.20.0-alpha.1", path = "rtc" }
 signal = { version = "0.20.0-alpha.1", path = "examples/examples/signal", package = "rtc-signal" }
 datachannel = { version = "0.20.0-alpha.1", path = "rtc-datachannel", package = "rtc-datachannel" }
-dtls = { version = "0.20.0-alpha.1", path = "rtc-dtls", package = "rtc-dtls" }
+dtls = { version = "0.20.0-alpha.1", path = "rtc-dtls", package = "rtc-dtls", default-features = false }
 ice = { version = "0.20.0-alpha.1", path = "rtc-ice", package = "rtc-ice" }
 interceptor = { version = "0.20.0-alpha.1", path = "rtc-interceptor", package = "rtc-interceptor" }
 interceptor-derive = { version = "0.20.0-alpha.1", path = "rtc-interceptor-derive", package = "rtc-interceptor-derive" }
@@ -59,6 +59,7 @@ byteorder = "1.5.0"
 log = "0.4.29"
 rcgen = { version = "0.14.6", features = ["pem", "x509-parser"] }
 ring = "0.17.14"
+aws-lc-rs = { version = "1.17.0", default-features = false, features = ["aws-lc-sys"] }
 rand = "0.9.2"
 serde = { version = "1.0.228", features = ["derive"] }
 thiserror = "2.0.17"

rtc-dtls/Cargo.toml

@@ -32,8 +32,9 @@ x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 x509-parser = "0.16.0"
 der-parser = "9.0.0"
 rcgen.workspace = true
-ring.workspace = true
-rustls = { version = "0.23.27", default-features = false, features = ["std", "ring"] }
+ring = { workspace = true, optional = true }
+aws-lc-rs = { workspace = true, optional = true }
+rustls = { version = "0.23.27", default-features = false, features = ["std"] }
 rkyv = "0.8"
 bytecheck = "0.8"
 subtle = "2.5.0"
@@ -52,7 +53,10 @@ ctrlc.workspace = true
 futures = "0.3.30"
 
 [features]
+default = ["ring"]
 pem = ["dep:pem"]
+ring = ["dep:ring", "rustls/ring"]
+aws-lc-rs = ["dep:aws-lc-rs", "rustls/aws-lc-rs"]
 
 #[[example]]
 #name = "dtls_chat_server"

rtc-dtls/src/crypto/mod.rs

@@ -191,6 +191,7 @@ impl Clone for CryptoPrivateKey {
                     EcdsaKeyPair::from_pkcs8(
                         &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
                         &self.serialized_der,
+                        #[cfg(feature = "ring")]
                         &SystemRandom::new(),
                     )
                     .unwrap(),
@@ -232,6 +233,7 @@ impl CryptoPrivateKey {
                     EcdsaKeyPair::from_pkcs8(
                         &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
                         &serialized_der,
+                        #[cfg(feature = "ring")]
                         &SystemRandom::new(),
                     )
                     .map_err(|e| Error::Other(e.to_string()))?,
@@ -276,7 +278,10 @@ pub(crate) fn generate_key_signature(
         }
         CryptoPrivateKeyKind::Rsa256(kp) => {
             let system_random = SystemRandom::new();
+            #[cfg(feature = "ring")]
             let mut signature = vec![0; kp.public().modulus_len()];
+            #[cfg(feature = "aws-lc-rs")]
+            let mut signature = vec![0; kp.public_modulus_len()];
             kp.sign(
                 &ring::signature::RSA_PKCS1_SHA256,
                 &system_random,
@@ -398,7 +403,10 @@ pub(crate) fn generate_certificate_verify(
         }
         CryptoPrivateKeyKind::Rsa256(kp) => {
             let system_random = SystemRandom::new();
+            #[cfg(feature = "ring")]
             let mut signature = vec![0; kp.public().modulus_len()];
+            #[cfg(feature = "aws-lc-rs")]
+            let mut signature = vec![0; kp.public_modulus_len()];
             kp.sign(
                 &ring::signature::RSA_PKCS1_SHA256,
                 &system_random,

rtc-dtls/src/lib.rs

@@ -26,6 +26,13 @@ pub mod state;
 use cipher_suite::*;
 use extension::extension_use_srtp::SrtpProtectionProfile;
 
+#[cfg(all(feature = "aws-lc-rs", feature = "ring"))]
+compile_error!("At most one of the features \"aws-lc-rs\" and \"ring\" can be enabled.");
+#[cfg(not(any(feature = "aws-lc-rs", feature = "ring")))]
+compile_error!("Exactly one of the features \"aws-lc-rs\" and \"ring\" must be enabled.");
+#[cfg(feature = "aws-lc-rs")]
+extern crate aws_lc_rs as ring;
+
 pub(crate) fn find_matching_srtp_profile(
     a: &[SrtpProtectionProfile],
     b: &[SrtpProtectionProfile],

rtc-stun/Cargo.toml

@@ -12,8 +12,10 @@ keywords.workspace = true
 categories.workspace = true
 
 [features]
-default = []
+default = ["ring"]
 bench = []
+ring = ["dep:ring"]
+aws-lc-rs = ["dep:aws-lc-rs"]
 
 [dependencies]
 shared = { workspace = true, default-features = false, features = [] }
@@ -26,7 +28,8 @@ rand.workspace = true
 base64 = "0.22.1"
 subtle = "2.5.0"
 crc = "3.0.1"
-ring.workspace = true
+ring = { workspace = true, optional = true }
+aws-lc-rs = { workspace = true, optional = true }
 md-5 = "0.10"
 
 [dev-dependencies]

rtc-stun/src/lib.rs

@@ -21,3 +21,10 @@ pub mod xoraddr;
 // IANA assigned ports for "stun" protocol.
 pub const DEFAULT_PORT: u16 = 3478;
 pub const DEFAULT_TLS_PORT: u16 = 5349;
+
+#[cfg(all(feature = "aws-lc-rs", feature = "ring"))]
+compile_error!("At most one of the features \"aws-lc-rs\" and \"ring\" can be enabled.");
+#[cfg(not(any(feature = "aws-lc-rs", feature = "ring")))]
+compile_error!("Exactly one of the features \"aws-lc-rs\" and \"ring\" must be enabled.");
+#[cfg(feature = "aws-lc-rs")]
+extern crate aws_lc_rs as ring;

rtc/Cargo.toml

@@ -34,9 +34,10 @@ log.workspace = true
 serde = "1"
 serde_json = { version = "1", features = [] }
 rcgen.workspace = true
-ring.workspace = true
+ring = { workspace = true, optional = true }
+aws-lc-rs = { workspace = true, optional = true }
 sha2 = "0.10"
-rustls = { version = "0.23.35", default-features = false, features = ["std", "ring"] }
+rustls = { version = "0.23.35", default-features = false, features = ["std"] }
 url = { version = "2", features = [] }
 hex = { version = "0.4", features = [] }
 pem = { version = "3", optional = true }
@@ -50,6 +51,10 @@ env_logger.workspace = true
 anyhow = "1"
 
 [features]
+default = ["ring"]
 pem = ["dep:pem", "dtls/pem"]
 openssl = ["srtp/openssl"]
 vendored-openssl = ["srtp/vendored-openssl"]
+ring = ["dep:ring", "dtls/ring", "rustls/ring"]
+aws-lc-rs = ["dep:aws-lc-rs", "dtls/aws-lc-rs", "rustls/aws-lc-rs"]
+__testing = []

rtc/src/lib.rs

@@ -663,3 +663,10 @@ pub mod media_stream;
 pub mod peer_connection;
 pub mod rtp_transceiver;
 pub mod statistics;
+
+#[cfg(all(feature = "aws-lc-rs", feature = "ring"))]
+compile_error!("At most one of the features \"aws-lc-rs\" and \"ring\" can be enabled.");
+#[cfg(not(any(feature = "aws-lc-rs", feature = "ring")))]
+compile_error!("Exactly one of the features \"aws-lc-rs\" and \"ring\" must be enabled.");
+#[cfg(feature = "aws-lc-rs")]
+extern crate aws_lc_rs as ring;

rtc/src/peer_connection/certificate/mod.rs

@@ -188,6 +188,7 @@ use std::time::{Duration, SystemTime};
 
 use dtls::crypto::{CryptoPrivateKey, CryptoPrivateKeyKind};
 use rcgen::{CertificateParams, KeyPair};
+#[cfg(feature = "ring")]
 use ring::rand::SystemRandom;
 use ring::rsa;
 use ring::signature::{EcdsaKeyPair, Ed25519KeyPair};
@@ -358,6 +359,7 @@ impl RTCCertificate {
                     EcdsaKeyPair::from_pkcs8(
                         &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
                         &serialized_der,
+                        #[cfg(feature = "ring")]
                         &SystemRandom::new(),
                     )
                     .map_err(|e| Error::Other(e.to_string()))?,

rtc/src/peer_connection/transport/dtls/mod.rs

@@ -119,6 +119,15 @@ impl RTCDtlsTransport {
             return Err(Error::ErrInvalidDTLSStart);
         }
 
+        // When testing with `aws-lc-rs`,
+        // the `webrtc` interop tests uses `ring` for its crypto provider,
+        // so we need to choose one of them to avoid conflicts.
+        // We need a custom feature because
+        // `#[cfg(test)]` is not propagated to this crate in integration tests.
+        #[cfg(all(feature = "__testing", feature = "aws-lc-rs"))]
+        let _ = rustls::crypto::aws_lc_rs::default_provider()
+            .install_default();
+
         self.dtls_role = self.derive_role(ice_role, remote_dtls_parameters.role);
 
         let remote_fingerprints = remote_dtls_parameters.fingerprints;