Modularize rustls as work towards providers

joshuamegnauth54 · joshuamegnauth54 · commit 26e4d8fca1ce · 2026-04-22T20:47:53.000-04:00
`rustls`'s architecture is very clean and trait-driven. There are many providers for `rustls` including the built-in `aws-lc-rs` and `ring` as well as backends for `boringssl`, `graviola`, `openssl`, `mbedtls`, etc. This commit removes the hard dependency on `aws-lc-rs` and adds support for `ring`. It works towards #7059 as well.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,7 +22,8 @@ jit = ["rustpython-vm/jit"]
 threading = ["rustpython-vm/threading", "rustpython-stdlib/threading"]
 sqlite = ["rustpython-stdlib/sqlite"]
 ssl = []
-ssl-rustls = ["ssl", "rustpython-stdlib/ssl-rustls"]
+ssl-rustls = ["ssl", "rustpython-stdlib/ssl-rustls-aws-lc-rs"]
+ssl-rustls-ring = ["ssl", "rustpython-stdlib/ssl-rustls-ring"]
 ssl-openssl = ["ssl", "rustpython-stdlib/ssl-openssl"]
 ssl-vendor = ["ssl-openssl", "rustpython-stdlib/ssl-vendor"]
 tkinter = ["rustpython-stdlib/tkinter"]
diff --git a/crates/stdlib/Cargo.toml b/crates/stdlib/Cargo.toml
@@ -18,13 +18,16 @@ threading = ["rustpython-common/threading", "rustpython-vm/threading"]
 sqlite = ["dep:libsqlite3-sys"]
 # SSL backends - default to rustls
 ssl = []
-ssl-rustls = ["ssl", "rustls", "rustls-native-certs", "rustls-pemfile", "rustls-platform-verifier", "x509-cert", "x509-parser", "der", "pem-rfc7468", "webpki-roots", "aws-lc-rs", "oid-registry", "pkcs8"]
-ssl-rustls-fips = ["ssl-rustls", "aws-lc-rs/fips"]
+ssl-rustls-aws-lc-rs = ["ssl", "__ssl-rustls", "rustls/aws_lc_rs"]
+ssl-rustls-fips = ["ssl-rustls-aws-lc-rs", "rustls/fips"]
+ssl-rustls-ring = ["ssl", "__ssl-rustls", "rustls/ring"]
 ssl-openssl = ["ssl", "openssl", "openssl-sys", "foreign-types-shared", "openssl-probe"]
 ssl-vendor = ["ssl-openssl", "openssl/vendored"]
 tkinter = ["dep:tk-sys", "dep:tcl-sys", "dep:widestring"]
 flame-it = ["flame"]
 
+__ssl-rustls = ["ssl", "rustls", "rustls-native-certs", "rustls-pemfile", "rustls-platform-verifier", "x509-cert", "x509-parser", "der", "pem-rfc7468", "webpki-roots", "oid-registry", "pkcs8"] 
+
 [dependencies]
 # rustpython crates
 rustpython-derive = { workspace = true }
@@ -122,7 +125,7 @@ openssl-probe = { version = "0.2.1", optional = true }
 foreign-types-shared = { version = "0.1.1", optional = true }
 
 # Rustls dependencies (optional, for ssl-rustls feature)
-rustls = { version = "0.23.37", default-features = false, features = ["std", "tls12", "aws_lc_rs"], optional = true }
+rustls = { version = "0.23.37", default-features = false, features = ["std", "tls12"], optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
 rustls-pemfile = { version = "2.2", optional = true }
 rustls-platform-verifier = { version = "0.6", optional = true }
@@ -131,7 +134,6 @@ x509-parser = { version = "0.18", optional = true }
 der = { version = "0.7", features = ["alloc", "oid"], optional = true }
 pem-rfc7468 = { version = "1.0", features = ["alloc"], optional = true }
 webpki-roots = { version = "1.0", optional = true }
-aws-lc-rs = { version = "1.16.2", optional = true }
 oid-registry = { version = "0.8", features = ["x509", "pkcs1", "nist_algs"], optional = true }
 pkcs8 = { version = "0.10", features = ["encryption", "pkcs5", "pem"], optional = true }
 
diff --git a/crates/stdlib/src/lib.rs b/crates/stdlib/src/lib.rs
@@ -106,11 +106,13 @@ mod openssl;
 #[cfg(all(
     feature = "host_env",
     not(target_arch = "wasm32"),
-    feature = "ssl-rustls"
+    feature = "__ssl-rustls"
 ))]
 mod ssl;
-#[cfg(all(feature = "ssl-openssl", feature = "ssl-rustls"))]
-compile_error!("features \"ssl-openssl\" and \"ssl-rustls\" are mutually exclusive");
+#[cfg(all(feature = "ssl-openssl", feature = "__ssl-rustls"))]
+compile_error!(
+    "features \"ssl-openssl\", \"ssl-rustls-aws-lc-rs\", and \"ssl-rustls-ring\" are mutually exclusive"
+);
 
 #[cfg(all(
     feature = "host_env",
@@ -222,7 +224,7 @@ pub fn stdlib_module_defs(ctx: &Context) -> Vec<&'static builtins::PyModuleDef>
         #[cfg(all(
             feature = "host_env",
             not(target_arch = "wasm32"),
-            feature = "ssl-rustls"
+            feature = "__ssl-rustls"
         ))]
         ssl::module_def(ctx),
         statistics::module_def(ctx),
diff --git a/crates/stdlib/src/ssl.rs b/crates/stdlib/src/ssl.rs
@@ -37,6 +37,7 @@ mod _ssl {
             lock::{PyMutex, PyRwLock},
         },
         socket::{PySocket, SelectKind, sock_select, timeout_error_msg},
+        ssl::compat,
         vm::{
             AsObject, Py, PyObject, PyObjectRef, PyPayload, PyRef, PyResult, TryFromObject,
             VirtualMachine,
@@ -64,7 +65,6 @@ mod _ssl {
         sync::atomic::{AtomicUsize, Ordering},
         time::Duration,
     };
-    use rustls::crypto::aws_lc_rs::ALL_CIPHER_SUITES;
     use std::{
         collections::{HashMap, hash_map::DefaultHasher},
         io::BufRead,
@@ -77,14 +77,20 @@ mod _ssl {
     use rustls::{
         ClientConfig, ClientConnection, RootCertStore, ServerConfig, ServerConnection,
         client::{ClientSessionMemoryCache, ClientSessionStore},
-        crypto::SupportedKxGroup,
+        crypto::{CryptoProvider, SupportedKxGroup},
         pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer, ServerName},
         server::{ClientHello, ResolvesServerCert},
         sign::CertifiedKey,
         version::{TLS12, TLS13},
     };
     use sha2::{Digest, Sha256};
 
+    #[cfg(feature = "ssl-rustls-aws-lc-rs")]
+    use rustls::crypto::aws_lc_rs::{ALL_CIPHER_SUITES, Ticketer, sign};
+
+    #[cfg(feature = "ssl-rustls-ring")]
+    use rustls::crypto::ring::{ALL_CIPHER_SUITES, Ticketer, sign};
+
     // Import certificate operations module
     use super::cert;
 
@@ -1189,15 +1195,14 @@ mod _ssl {
             }
 
             // Additional validation: Create CertifiedKey to ensure rustls accepts it
-            let signing_key =
-                rustls::crypto::aws_lc_rs::sign::any_supported_type(&key).map_err(|_| {
-                    vm.new_os_subtype_error(
-                        PySSLError::class(&vm.ctx).to_owned(),
-                        None,
-                        "[SSL: KEY_VALUES_MISMATCH] key values mismatch",
-                    )
-                    .upcast()
-                })?;
+            let signing_key = sign::any_supported_type(&key).map_err(|_| {
+                vm.new_os_subtype_error(
+                    PySSLError::class(&vm.ctx).to_owned(),
+                    None,
+                    "[SSL: KEY_VALUES_MISMATCH] key values mismatch",
+                )
+                .upcast()
+            })?;
 
             let certified_key = CertifiedKey::new(full_chain.clone(), signing_key);
             if certified_key.keys_match().is_err() {
@@ -2295,7 +2300,7 @@ mod _ssl {
                 rustls_server_session_store: rustls::server::ServerSessionMemoryCache::new(
                     SSL_SESSION_CACHE_SIZE,
                 ),
-                server_ticketer: rustls::crypto::aws_lc_rs::Ticketer::new()
+                server_ticketer: Ticketer::new()
                     .expect("Failed to create shared ticketer for TLS 1.2 session resumption"),
                 accept_count: AtomicUsize::new(0),
                 session_hits: AtomicUsize::new(0),
@@ -4883,17 +4888,20 @@ mod _ssl {
 
     #[pyfunction]
     fn RAND_bytes(n: i64, vm: &VirtualMachine) -> PyResult<PyBytesRef> {
-        use aws_lc_rs::rand::{SecureRandom, SystemRandom};
+        compat::ensure_default_provider();
+        let default_provider =
+            CryptoProvider::get_default().expect("A CryptoProvider should have been set earlier");
 
         // Validate n is not negative
         if n < 0 {
             return Err(vm.new_value_error("num must be positive"));
         }
 
         let n_usize = n as usize;
-        let rng = SystemRandom::new();
         let mut buf = vec![0u8; n_usize];
-        rng.fill(&mut buf)
+        default_provider
+            .secure_random
+            .fill(&mut buf)
             .map_err(|_| vm.new_os_error("Failed to generate random bytes"))?;
         Ok(PyBytesRef::from(vm.ctx.new_bytes(buf)))
     }
diff --git a/crates/stdlib/src/ssl/cert.rs b/crates/stdlib/src/ssl/cert.rs
@@ -24,6 +24,12 @@ use x509_parser::prelude::*;
 
 use super::compat::{VERIFY_X509_PARTIAL_CHAIN, VERIFY_X509_STRICT};
 
+#[cfg(feature = "ssl-rustls-aws-lc-rs")]
+use rustls::crypto::aws_lc_rs::sign;
+
+#[cfg(feature = "ssl-rustls-ring")]
+use rustls::crypto::ring::sign;
+
 // Certificate Verification Constants
 
 /// All supported signature schemes for certificate verification
@@ -1265,9 +1271,7 @@ pub fn validate_cert_key_match(
 
     // For rustls, the actual validation happens when creating CertifiedKey
     // We can attempt to create a signing key to verify the key is valid
-    use rustls::crypto::aws_lc_rs::sign::any_supported_type;
-
-    match any_supported_type(private_key) {
+    match sign::any_supported_type(private_key) {
         Ok(_signing_key) => {
             // If we can create a signing key, the private key is valid
             // Rustls will validate the cert-key match when building config
diff --git a/crates/stdlib/src/ssl/compat.rs b/crates/stdlib/src/ssl/compat.rs
@@ -59,11 +59,17 @@ pub const VERIFY_X509_PARTIAL_CHAIN: i32 = 0x80000;
 /// happens exactly once, even if called from multiple threads.
 static INIT_PROVIDER: Once = Once::new();
 
-fn ensure_default_provider() {
+pub(super) fn ensure_default_provider() {
     INIT_PROVIDER.call_once(|| {
+        #[cfg(feature = "ssl-rustls-aws-lc-rs")]
         let _ = rustls::crypto::CryptoProvider::install_default(
             rustls::crypto::aws_lc_rs::default_provider(),
         );
+
+        #[cfg(feature = "ssl-rustls-ring")]
+        let _ = rustls::crypto::CryptoProvider::install_default(
+            rustls::crypto::ring::default_provider(),
+        );
     });
 }
 
@@ -663,12 +669,12 @@ fn create_custom_crypto_provider(
     cipher_suites: Option<Vec<rustls::SupportedCipherSuite>>,
     kx_groups: Option<Vec<&'static dyn rustls::crypto::SupportedKxGroup>>,
 ) -> Arc<rustls::crypto::CryptoProvider> {
-    use rustls::crypto::aws_lc_rs::{ALL_CIPHER_SUITES, ALL_KX_GROUPS};
-    let default_provider = rustls::crypto::aws_lc_rs::default_provider();
+    let default_provider = rustls::crypto::CryptoProvider::get_default()
+        .expect("A CryptoProvider should have been set earlier");
 
     Arc::new(rustls::crypto::CryptoProvider {
-        cipher_suites: cipher_suites.unwrap_or_else(|| ALL_CIPHER_SUITES.to_vec()),
-        kx_groups: kx_groups.unwrap_or_else(|| ALL_KX_GROUPS.to_vec()),
+        cipher_suites: cipher_suites.unwrap_or_else(|| default_provider.cipher_suites.clone()),
+        kx_groups: kx_groups.unwrap_or_else(|| default_provider.kx_groups.clone()),
         signature_verification_algorithms: default_provider.signature_verification_algorithms,
         secure_random: default_provider.secure_random,
         key_provider: default_provider.key_provider,
@@ -2365,7 +2371,8 @@ pub(super) fn curve_name_to_kx_group(
     curve: &str,
 ) -> Result<Vec<&'static dyn SupportedKxGroup>, String> {
     // Get the default crypto provider's key exchange groups
-    let provider = rustls::crypto::aws_lc_rs::default_provider();
+    let provider = rustls::crypto::CryptoProvider::get_default()
+        .expect("A CryptoProvider should have been set earlier");
     let all_groups = &provider.kx_groups;
 
     match curve {
diff --git a/src/lib.rs b/src/lib.rs
@@ -71,7 +71,11 @@ pub use shell::run_shell;
 
 #[cfg(all(
     feature = "ssl",
-    not(any(feature = "ssl-rustls", feature = "ssl-openssl"))
+    not(any(
+        feature = "ssl-rustls",
+        feature = "ssl-rustls-ring",
+        feature = "ssl-openssl"
+    ))
 ))]
 compile_error!(
     "Feature \"ssl\" is now enabled by either \"ssl-rustls\" or \"ssl-openssl\" to be enabled. Do not manually pass \"ssl\" feature. To enable ssl-openssl, use --no-default-features to disable ssl-rustls"
