Commit 5b6dffc
authored
fix(crypto): use
## What does this PR do?
Switches the default (non-FIPS) crypto backend for rustls from `aws-lc-rs` to `ring` across all platforms, and changes reqwest's TLS feature from `rustls` to `rustls-no-provider` to prevent reqwest from forcing `aws-lc-rs` back into the dependency tree.
### Changes:
- `libdd-common/Cargo.toml`: Removed `cfg(unix)`/`cfg(not(unix))` platform-specific rustls/hyper-rustls deps. Both now use `ring` unconditionally. Switched reqwest feature from `rustls` to `rustls-no-provider`. Pinned `rustls-native-certs` to `<0.8.3`.
- `libdd-common/src/connector/mod.rs`: Simplified `ensure_crypto_provider_initialized()` to always install ring's provider, removing platform `#[cfg]` branches.
- `libdd-profiling/Cargo.toml`: Same — removed platform split for rustls, unified on `ring`. Switched reqwest to `rustls-no-provider`.
- `libdd-profiling/src/exporter/tls.rs`: Simplified `default_crypto_provider()` to always return ring's provider.
- `libdd-http-client/Cargo.toml`: Switched `https` feature from `reqwest?/rustls` to `reqwest?/rustls-no-provider`. Added `rustls` with `ring` as dev-dependency for tests.
- Test files: Added explicit `ensure_crypto_provider()` calls in `libdd-common/tests/reqwest_builder_test.rs` and all `libdd-http-client` test files, since `rustls-no-provider` does not auto-install a crypto provider.
FIPS builds are unchanged — `hyper-rustls/fips` continues to activate `aws-lc-rs` as the FIPS-certified backend.
## Motivation
Reduce binary size by eliminating `aws-lc-sys` (a large C crypto library) from non-FIPS builds.
**Measured binary size reduction (macOS arm64, release profile):**
| Artifact | Before (aws-lc-rs) | After (ring) | Savings |
|---|---|---|---|
| `libdatadog_profiling_ffi.dylib` | 9.0 MB | 7.8 MB | **1.2 MB (13%)** |
| `libdatadog_profiling_ffi.a` | 154 MB | 145 MB | **9 MB (6%)** |
The `.a` percentage is smaller because it contains all object files before link-time dead-code elimination. The `.dylib` reflects actual linked output where the crypto portion is a larger share of the total.
Additionally, reqwest 0.13's `rustls` feature implicitly enables `__rustls-aws-lc-rs`, which forces `aws-lc-rs` into the tree regardless of what the consumer configures on rustls directly. This made it impossible to use ring-only builds without switching to `rustls-no-provider`. As a side effect, this also drops the `quinn`/QUIC HTTP/3 stack (`quinn`, `quinn-proto`, `quinn-udp`, `lru-slab`, `web-time`) from the dependency tree, which was being pulled in by reqwest's `rustls` feature but never used.
This is the first step in a cross-repo effort to standardize on `ring` for non-FIPS and `aws-lc-rs` for FIPS-only across libdatadog and its downstream consumers.
## Additional Notes
- `rustls-platform-verifier` in `libdd-profiling` is intentionally kept — it's there for the cert-caching performance fix (PR #1619), not for crypto backend selection.
- `rustls-native-certs` is pinned to `>=0.8.1, <0.8.3` — version 0.8.3+ pulls in `openssl-probe@0.2` which probes multiple certificate directories and parses individual cert files instead of loading a single bundle, adding unnecessary I/O overhead in latency-sensitive environments.
- The previous `cfg(unix)`/`cfg(not(unix))` split existed because `aws-lc-rs` had build issues on Windows. Since we're now using `ring` everywhere, the platform split is no longer necessary.
- FIPS provider initialization remains the caller's responsibility — `ensure_crypto_provider_initialized()` is a no-op when the `fips` feature is enabled, and the caller must install the FIPS-compliant provider (e.g., `aws-lc-rs` FIPS) before any TLS connections. This is existing behavior, unchanged by this PR.
## How to test the change?
- Verify `aws-lc-rs` is absent from the default dependency tree:
```
cargo tree --workspace -i aws-lc-rs
# Expected: "error: package ID specification `aws-lc-rs` did not match any packages"
```
- Verify `ring` is the sole crypto backend:
```
cargo tree --workspace -i ring
# Expected: ring present, used by rustls -> hyper-rustls -> libdd-common / libdd-profiling
```
- Verify FIPS builds still pull in `aws-lc-rs`:
```
cargo tree -p libdd-common --features fips -i aws-lc-rs
# Expected: aws-lc-rs present via hyper-rustls/fips
```
- Verify full workspace compiles:
```
cargo check --workspace
cargo check -p libdd-common --features fips
```
- Verify `rustls-native-certs` stays below 0.8.3:
```
cargo tree -p rustls-native-certs
# Expected: v0.8.1 or v0.8.2
```
Co-authored-by: jordan.gonzalez <jordan.gonzalez@datadoghq.com>ring for non-fips builds (#1816)1 parent 2022fe0 commit 5b6dffc
18 files changed
Lines changed: 144 additions & 207 deletions
File tree
- libdd-common
- src/connector
- tests
- libdd-http-client
- src
- tests
- libdd-profiling
- src/exporter
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
175 | 175 | | |
176 | 176 | | |
177 | 177 | | |
178 | | - | |
179 | 178 | | |
180 | 179 | | |
181 | 180 | | |
| |||
220 | 219 | | |
221 | 220 | | |
222 | 221 | | |
223 | | - | |
224 | 222 | | |
225 | 223 | | |
226 | 224 | | |
| |||
230 | 228 | | |
231 | 229 | | |
232 | 230 | | |
233 | | - | |
234 | 231 | | |
235 | 232 | | |
236 | 233 | | |
| |||
323 | 320 | | |
324 | 321 | | |
325 | 322 | | |
326 | | - | |
327 | | - | |
328 | | - | |
329 | 323 | | |
330 | 324 | | |
331 | 325 | | |
| |||
499 | 493 | | |
500 | 494 | | |
501 | 495 | | |
502 | | - | |
503 | 496 | | |
504 | 497 | | |
505 | | - | |
506 | 498 | | |
507 | 499 | | |
508 | 500 | | |
| |||
0 commit comments