Skip to content

Commit c4e191d

Browse files
duncanistaduncanista
committed
perf(deps): drop aws-lc-rs from non-FIPS builds, use ring backend
Bottlecap previously enabled `rustls/aws-lc-rs` directly AND pulled ring transitively via `libdd-common/https`, so default builds linked both crypto backends and shipped ~1.5 MiB of unused machine code (aws-lc-sys alone is ~543 KiB stripped per cargo-bloat). Switch to a single provider per mode: * default: ring (the libdatadog default — comes via libdd-common/https → rustls/ring + hyper-rustls/ring). * fips: aws-lc-rs (FIPS-validated — comes via rustls/fips + libdd-common/fips → hyper-rustls/fips). Drops the hardcoded `aws-lc-rs` feature on the rustls direct dep and makes the explicit `default_provider().install_default()` calls in http_client.rs and trace_processor.rs cfg-conditional on the bottlecap `fips` feature. Verified via `cargo tree`: * `--features default`: ring ✓ pulled, aws-lc-rs ✗ absent * `--no-default-features --features fips`: aws-lc-rs ✓ pulled, ring ✗ absent Production layer build (arm64, non-FIPS): bottlecap stripped: 11,709,896 → 10,137,032 B (−1,572,864 B, −13.4%) layer zip: 5,324,844 → 4,528,013 B ( −796,831 B, −15.0%)
1 parent 3d4c862 commit c4e191d

3 files changed

Lines changed: 13 additions & 4 deletions

File tree

bottlecap/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ hmac = { version = "0.12", default-features = false }
4040
sha2 = { version = "0.10", default-features = false }
4141
hex = { version = "0.4", default-features = false, features = ["std"] }
4242
base64 = { version = "0.22", default-features = false }
43-
rustls = { version = "0.23.18", default-features = false, features = ["aws-lc-rs"] }
43+
rustls = { version = "0.23.18", default-features = false }
4444
# Transitive via rustls. Pinned to >=0.103.13 so cargo audit passes (RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104).
4545
rustls-webpki = { version = "0.103.13", default-features = false }
4646
rustls-pemfile = { version = "2.0", default-features = false, features = ["std"] }

bottlecap/src/traces/http_client.rs

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -79,10 +79,16 @@ impl HttpClientTrait for HttpClient {
7979
/// Initialize the crypto provider needed for setting custom root certificates.
8080
fn ensure_crypto_provider_initialized() {
8181
static INIT_CRYPTO_PROVIDER: LazyLock<()> = LazyLock::new(|| {
82+
// FIPS builds use the FIPS-validated aws-lc-rs provider, non-FIPS
83+
// builds use ring (the libdatadog default). Pick based on the bottlecap
84+
// `fips` feature so we never pull both crypto backends into the binary.
85+
#[cfg(all(unix, feature = "fips"))]
86+
let provider = rustls::crypto::aws_lc_rs::default_provider();
87+
#[cfg(all(unix, not(feature = "fips")))]
88+
let provider = rustls::crypto::ring::default_provider();
89+
8290
#[cfg(unix)]
83-
if let Err(_already_installed) =
84-
rustls::crypto::aws_lc_rs::default_provider().install_default()
85-
{
91+
if let Err(_already_installed) = provider.install_default() {
8692
debug!(
8793
"HTTP_CLIENT | Default CryptoProvider already installed, using existing provider"
8894
);

bottlecap/src/traces/trace_processor.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -637,7 +637,10 @@ mod tests {
637637
#[allow(clippy::unwrap_used)]
638638
#[cfg_attr(miri, ignore)]
639639
async fn test_process_trace() {
640+
#[cfg(feature = "fips")]
640641
let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
642+
#[cfg(not(feature = "fips"))]
643+
let _ = rustls::crypto::ring::default_provider().install_default();
641644
let start = get_current_timestamp_nanos();
642645

643646
let tags_provider = create_tags_provider(create_test_config());

0 commit comments

Comments
 (0)