mlkem

rpxy-bin/Cargo.toml

@@ -14,7 +14,7 @@ publish.workspace = true
 
 [features]
 default = [
-  "provider-openssl",
+  "provider-aws-lc-pq",
 #  "http3-quinn",
 #  "cache",
   "rustls-backend",
@@ -31,6 +31,7 @@ default = [
 #   "post-quantum",
 # ]
 provider-aws-lc-rs = ["rpxy-lib/rustls-backend-aws-lc-rs"]
+provider-aws-lc-pq = ["rpxy-lib/rustls-backend-aws-lc-pq", "rpxy-lib/post-quantum"]
 provider-boring = ["rpxy-lib/rustls-backend-boring"]
 provider-openssl = ["rpxy-lib/rustls-backend-openssl"]
 provider-ring = ["rpxy-lib/rustls-backend-ring"]

rpxy-lib/Cargo.toml

@@ -29,6 +29,7 @@ sticky-cookie = ["base64", "sha2", "chrono"]
 native-tls-backend = ["hyper-tls"]
 rustls-backend = ["hyper-rustls"]
 rustls-backend-aws-lc-rs = ["hyper-rustls/aws-lc-rs"]
+rustls-backend-aws-lc-pq = ["hyper-rustls/aws-lc-rs", "post-quantum"]
 rustls-backend-boring = ["hyper-rustls/aws-lc-rs", "boring-rustls-provider"]
 rustls-backend-openssl = ["hyper-rustls/aws-lc-rs", "rustls-openssl"]
 rustls-backend-ring = ["hyper-rustls/ring"]
@@ -38,6 +39,7 @@ webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"]
 acme = ["dep:rpxy-acme"]
 post-quantum = [
   "rustls-post-quantum",
+  "rustls-post-quantum/aws-lc-rs-unstable",
   "rpxy-acme/post-quantum",
   "rpxy-certs/post-quantum",
   "s2n-quic-rustls/post-quantum",

rpxy-lib/src/forwarder/client.rs

@@ -217,10 +217,11 @@ where
 
     #[cfg(not(feature = "webpki-roots"))]
     let (builder, builder_h2) = {
-      use rustls::{ClientConfig, client::Resumption};
       use hyper_rustls::ConfigBuilderExt;
+      use rustls::{ClientConfig, client::Resumption};
       let mut client_config = ClientConfig::builder()
-        .try_with_platform_verifier().unwrap()
+        .try_with_platform_verifier()
+        .unwrap()
         .with_no_client_auth();
       client_config.resumption = Resumption::disabled();
       let builder = hyper_rustls::HttpsConnectorBuilder::new().with_tls_config(client_config.clone());

rpxy-lib/src/lib.rs

@@ -167,6 +167,65 @@ pub async fn entrypoint(
     }
     _provider = CryptoProvider::install_default(prov);
   }
+  #[cfg(feature = "rustls-backend-aws-lc-pq")]
+  {
+    info!("Using RusTLS provider aws-lc-pq");
+    let mut prov = rustls_post_quantum::provider();
+    if let Some(ciphers) = ciphers {
+      prov.cipher_suites.clear();
+      for cipher in ciphers {
+        match cipher.as_str() {
+          "AES_256_GCM_SHA384" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384),
+          "AES_128_GCM_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256),
+          "CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256),
+          "ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+          "ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+          "ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256),
+          "ECDHE_RSA_WITH_AES_256_GCM_SHA384" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
+          "ECDHE_RSA_WITH_AES_128_GCM_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+          "ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" => prov
+            .cipher_suites
+            .push(rustls::crypto::aws_lc_rs::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256),
+          other => {
+            log::error!("Unknown cipher `{other}`")
+          }
+        }
+      }
+    }
+    if let Some(kexes) = kexes {
+      prov.kx_groups.clear();
+      for kex in kexes {
+        match kex.as_str() {
+          "X25519" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::X25519),
+          "SECP256R1" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP256R1),
+          "SECP384R1" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP384R1),
+          "X25519MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::X25519MLKEM768),
+          "SECP256R1MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::SECP256R1MLKEM768),
+          "MLKEM768" => prov.kx_groups.push(rustls::crypto::aws_lc_rs::kx_group::MLKEM768),
+          other => {
+            log::error!("Unknown kex `{other}`")
+          }
+        }
+      }
+    }
+    _provider = CryptoProvider::install_default(prov);
+  }
   #[cfg(feature = "rustls-backend-boring")]
   {
     info!("Using RusTLS provider boring");
@@ -272,6 +331,8 @@ pub async fn entrypoint(
           "X25519" => prov.kx_groups.push(rustls_openssl::kx_group::X25519),
           "SECP256R1" => prov.kx_groups.push(rustls_openssl::kx_group::SECP256R1),
           "SECP384R1" => prov.kx_groups.push(rustls_openssl::kx_group::SECP384R1),
+          "X25519MLKEM768" => prov.kx_groups.push(rustls_openssl::kx_group::X25519MLKEM768),
+          "MLKEM768" => prov.kx_groups.push(rustls_openssl::kx_group::MLKEM768),
           other => {
             log::error!("Unknown kex `{other}`")
           }
@@ -280,11 +341,6 @@ pub async fn entrypoint(
     }
     _provider = CryptoProvider::install_default(prov);
   }
-  #[cfg(feature = "post-quantum")]
-  {
-    info!("Using RusTLS provider post_quantum");
-    _provider = CryptoProvider::install_default(rustls_post_quantum::provider());
-  }
   #[cfg(feature = "rustls-backend-ring")]
   {
     info!("Using RusTLS provider ring");