From e08c70709fb66da7572f5595d6903db3d679fcbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pascal=20Eng=C3=A9libert?= Date: Tue, 9 Dec 2025 11:25:32 +0100 Subject: [PATCH] mlkem --- rpxy-bin/Cargo.toml | 3 +- rpxy-lib/Cargo.toml | 2 + rpxy-lib/src/forwarder/client.rs | 5 ++- rpxy-lib/src/lib.rs | 66 +++++++++++++++++++++++++++++--- 4 files changed, 68 insertions(+), 8 deletions(-) diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index a8bb768..2e8b088 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -14,7 +14,7 @@ publish.workspace = true [features] default = [ - "provider-openssl", + "provider-aws-lc-pq", # "http3-quinn", # "cache", "rustls-backend", @@ -31,6 +31,7 @@ default = [ # "post-quantum", # ] provider-aws-lc-rs = ["rpxy-lib/rustls-backend-aws-lc-rs"] +provider-aws-lc-pq = ["rpxy-lib/rustls-backend-aws-lc-pq", "rpxy-lib/post-quantum"] provider-boring = ["rpxy-lib/rustls-backend-boring"] provider-openssl = ["rpxy-lib/rustls-backend-openssl"] provider-ring = ["rpxy-lib/rustls-backend-ring"] diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 13074d6..73956c2 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -29,6 +29,7 @@ sticky-cookie = ["base64", "sha2", "chrono"] native-tls-backend = ["hyper-tls"] rustls-backend = ["hyper-rustls"] rustls-backend-aws-lc-rs = ["hyper-rustls/aws-lc-rs"] +rustls-backend-aws-lc-pq = ["hyper-rustls/aws-lc-rs", "post-quantum"] rustls-backend-boring = ["hyper-rustls/aws-lc-rs", "boring-rustls-provider"] rustls-backend-openssl = ["hyper-rustls/aws-lc-rs", "rustls-openssl"] rustls-backend-ring = ["hyper-rustls/ring"] @@ -38,6 +39,7 @@ webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"] acme = ["dep:rpxy-acme"] post-quantum = [ "rustls-post-quantum", + "rustls-post-quantum/aws-lc-rs-unstable", "rpxy-acme/post-quantum", "rpxy-certs/post-quantum", "s2n-quic-rustls/post-quantum", diff --git a/rpxy-lib/src/forwarder/client.rs b/rpxy-lib/src/forwarder/client.rs index 114ec13..adab716 100644 --- a/rpxy-lib/src/forwarder/client.rs +++ b/rpxy-lib/src/forwarder/client.rs @@ -217,10 +217,11 @@ where #[cfg(not(feature = "webpki-roots"))] let (builder, builder_h2) = { - use rustls::{ClientConfig, client::Resumption}; use hyper_rustls::ConfigBuilderExt; + use rustls::{ClientConfig, client::Resumption}; let mut client_config = ClientConfig::builder() - .try_with_platform_verifier().unwrap() + .try_with_platform_verifier() + .unwrap() .with_no_client_auth(); client_config.resumption = Resumption::disabled(); let builder = hyper_rustls::HttpsConnectorBuilder::new().with_tls_config(client_config.clone()); diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index 2062424..b2c8916 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -167,6 +167,65 @@ pub async fn entrypoint( } _provider = CryptoProvider::install_default(prov); } + #[cfg(feature = "rustls-backend-aws-lc-pq")] + { + info!("Using RusTLS provider aws-lc-pq"); + let mut prov = rustls_post_quantum::provider(); + if let Some(ciphers) = ciphers { + prov.cipher_suites.clear(); + for cipher in ciphers { + match cipher.as_str() { + "AES_256_GCM_SHA384" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384), + "AES_128_GCM_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256), + "CHACHA20_POLY1305_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256), + "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), + "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), + "ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), + "ECDHE_RSA_WITH_AES_256_GCM_SHA384" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), + "ECDHE_RSA_WITH_AES_128_GCM_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), + "ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" => prov + .cipher_suites + .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), + other => { + log::error!("Unknown cipher `{other}`") + } + } + } + } + if let Some(kexes) = kexes { + prov.kx_groups.clear(); + for kex in kexes { + match kex.as_str() { + "X25519" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::X25519), + "SECP256R1" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP256R1), + "SECP384R1" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP384R1), + "X25519MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::X25519MLKEM768), + "SECP256R1MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP256R1MLKEM768), + "MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::MLKEM768), + other => { + log::error!("Unknown kex `{other}`") + } + } + } + } + _provider = CryptoProvider::install_default(prov); + } #[cfg(feature = "rustls-backend-boring")] { info!("Using RusTLS provider boring"); @@ -272,6 +331,8 @@ pub async fn entrypoint( "X25519" => prov.kx_groups.push(rustls_openssl::kx_group::X25519), "SECP256R1" => prov.kx_groups.push(rustls_openssl::kx_group::SECP256R1), "SECP384R1" => prov.kx_groups.push(rustls_openssl::kx_group::SECP384R1), + "X25519MLKEM768" => prov.kx_groups.push(rustls_openssl::kx_group::X25519MLKEM768), + "MLKEM768" => prov.kx_groups.push(rustls_openssl::kx_group::MLKEM768), other => { log::error!("Unknown kex `{other}`") } @@ -280,11 +341,6 @@ pub async fn entrypoint( } _provider = CryptoProvider::install_default(prov); } - #[cfg(feature = "post-quantum")] - { - info!("Using RusTLS provider post_quantum"); - _provider = CryptoProvider::install_default(rustls_post_quantum::provider()); - } #[cfg(feature = "rustls-backend-ring")] { info!("Using RusTLS provider ring");