build(deps): replace ring with aws-lc-rs

maherthomsi · maherthomsi · commit d7194eab8d09 · 2025-10-22T14:09:28.000-07:00
The ring crate is deprecated and unmaintained. AWS-LC-RS provides
equivalent functionality with active support and FIPS compliance.

Signed-off-by: Maher Homsi &lt;maherhom@amazon.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -17,6 +17,7 @@ argh = "0.1"
 async-trait = "0.1"
 awc = "3"
 aws-config = { version = "1", default-features = false, features = ["credentials-process", "default-https-client", "rt-tokio"] }
+aws-lc-rs = { version = "1", features = ["bindgen"] }
 aws-sdk-ec2 = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }
 aws-sdk-eks = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }
 aws-sdk-iam = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }
@@ -55,7 +56,7 @@ kube = { version = "0.88", default-features = false, features = [ "derive", "run
 
 regex = "1"
 reqwest = { version = "0.12", default-features = false, features =  [ "json", "rustls-tls" ] }
-rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rustls = { version = "0.23", default-features = false, features = ["aws_lc_rs", "logging", "std", "tls12"] }
 rustls-pemfile = { version = "2" }
 schemars = "0.8"
 semver = "1"
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,9 @@ ADD ./ /src/
 # Ensure cargo dependencies are fetched and available in the Docker context
 RUN cargo fetch --locked --manifest-path /src/Cargo.toml
 
+# Set bindgen clang arguments for cross-compilation targeting Bottlerocket's musl environment
+ENV BINDGEN_EXTRA_CLANG_ARGS="--target=${UNAME_ARCH}-bottlerocket-linux-musl --sysroot=/${UNAME_ARCH}-bottlerocket-linux-musl/sys-root"
+
 # Builds brupop binaries
 RUN cargo install --offline --locked --target ${UNAME_ARCH}-bottlerocket-linux-musl --path /src/agent --root /src/agent && \
     cargo install --offline --locked --target ${UNAME_ARCH}-bottlerocket-linux-musl --path /src/apiserver --root /src/apiserver && \
diff --git a/clarify.toml b/clarify.toml
@@ -13,6 +13,20 @@ license-files = [
     { path = "LICENSE", hash = 0xcdf3ae00 },
 ]
 
+[clarify.aws-lc-fips-sys]
+expression = "ISC AND (Apache-2.0 OR ISC) AND OpenSSL AND MIT"
+license-files = [
+    { path = "LICENSE", hash = 0xf308ccd7 },
+    { path = "aws-lc/LICENSE", hash = 0xb6d14686 },
+    { path = "aws-lc/third_party/fiat/LICENSE", hash = 0x75829ee2 },
+]
+
+[clarify.aws-lc-rs]
+expression = "ISC AND (Apache-2.0 OR ISC) AND MIT"
+license-files = [
+    { path = "LICENSE", hash = 0x8f713da7 },
+]
+
 [clarify.aws-lc-sys]
 expression = "ISC AND (Apache-2.0 OR ISC) AND OpenSSL AND MIT"
 license-files = [
diff --git a/models/Cargo.toml b/models/Cargo.toml
@@ -10,6 +10,7 @@ workspace = true
 
 [dependencies]
 async-trait = { workspace = true }
+aws-lc-rs = { workspace = true }
 chrono = { workspace = true }
 futures = { workspace = true }
 
diff --git a/models/src/crypto.rs b/models/src/crypto.rs
@@ -10,7 +10,7 @@ use rustls::crypto::CryptoProvider;
 use snafu::Snafu;
 
 pub fn install_default_crypto_provider() -> Result<(), CryptoConfigError> {
-    CryptoProvider::install_default(rustls::crypto::ring::default_provider())
+    CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider())
         .map_err(|_| CryptoConfigError)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ use rustls::crypto::CryptoProvider;`
`10`	`10`	`use snafu::Snafu;`
`11`	`11`
`12`	`12`	`pub fn install_default_crypto_provider() -> Result<(), CryptoConfigError> {`
`13`		`- CryptoProvider::install_default(rustls::crypto::ring::default_provider())`
	`13`	`+ CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider())`
`14`	`14`	`.map_err(\|_\| CryptoConfigError)`
`15`	`15`	`}`
`16`	`16`