Draft
Conversation
Switches the cryptographic backend so that ring is no longer pulled into shadowsocks-rust on any supported target. * shadowsocks-crypto: use the new faster-crypto feature (aws-lc-rs) in place of the now removed ring feature, and patch crates-io to the local crate while a release with this change is unpublished. * tokio-rustls: select the aws_lc_rs provider instead of ring. * hickory-resolver: use tls-aws-lc-rs, https-aws-lc-rs and h3-aws-lc-rs in place of the *-ring variants. Verified with cargo tree -i ring on x86_64-unknown-linux-gnu, aarch64-apple-darwin and x86_64-pc-windows-msvc that ring is no longer reachable. The only remaining ring path is via quinn-proto on wasm32-unknown-unknown, which aws-lc-rs cannot target and which shadowsocks does not support.
faern
force-pushed
the
replace-ring-with-aws-lc-rs
branch
from
39095a9 to
82f0cb7
Compare
Move the shadowsocks-crypto override from a [patch.crates-io] section in the workspace root to a direct git dependency in the shadowsocks crate. This avoids the patch mechanism and makes the dependency source explicit where it is declared.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ring is unmaintained. Even if there are no known vulnerabilities in it it's a risk to depend on it. Since it's unmaintained it probably gets fewer eyes on it studying if it's correctly implemented. If something bad is found in
ringit's going to be harder to patch compared to if we use a more maintained crypto implementation.aws-lc-rsis more maintained and seems to be what most move towards.aws-lc-rsexpose more cryptographic primitives, thatringdoes not have. Even ifshadowsocksitself does not need these newer things, downstream users ofshadowsocksmight (we are one of those!) and they probably don't want to have both ring and aws-lc-rs in their dependency trees as it blows up both compile time and binary size.Luckily it seems pretty easy to migrate all of shadowsocks to aws-lc-rs, as you can see in this PR. It just depends on shadowsocks/shadowsocks-crypto#24 being merged and published first.
I have not tested this on Windows myself. I hope the CI is good enough.
This PR builds on top of #2111. Because I wanted the CI to be as clean as possible in order to catch any issues this PR might introduce. So please merge that cleanup PR first, then I can rebase this.