diff --git a/Cargo.lock b/Cargo.lock index 960e770b..40b682f5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3670,7 +3670,6 @@ version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2" dependencies = [ - "aws-lc-rs", "pem", "ring", "rustls-pki-types", diff --git a/crates/punktfunk-host/Cargo.toml b/crates/punktfunk-host/Cargo.toml index 97a6a7f4..04204fdc 100644 --- a/crates/punktfunk-host/Cargo.toml +++ b/crates/punktfunk-host/Cargo.toml @@ -80,17 +80,20 @@ base64 = "0.22" # webpki roots (no system cert dependency). Cross-platform so the fetch/parse code is compiled + # checked everywhere even though only the Windows GOG/Xbox providers need it today. ureq = "2" -rcgen = { version = "0.13", default-features = false, features = ["aws_lc_rs", "pem"] } +rcgen = { version = "0.13", default-features = false, features = ["ring", "pem"] } x509-parser = "0.16" # Only used for the plain-HTTP nvhttp listener (`bind().serve()`); HTTPS/mTLS is hand-rolled over # tokio-rustls (axum-server can't surface the peer cert), so we do NOT enable `tls-rustls` โ€” that # feature is what pulled the unmaintained `rustls-pemfile` (security-review dep hygiene). axum-server = "0.8" -rustls = "0.23" +# Ring backend, NOT the (default) aws-lc-rs one โ€” matches punktfunk-core + the client so the whole +# tree stays ring-only (no aws-lc-sys: a heavy C dep that fails to build on the Windows CI runner). +# Keep `tls12` for GameStream/Moonlight clients that negotiate TLS 1.2. +rustls = { version = "0.23", default-features = false, features = ["ring", "std", "tls12", "logging"] } # Manual HTTPS+mTLS serve loop for the mgmt API (axum-server can't surface the peer cert): a # tokio-rustls handshake exposes the client cert, then hyper serves the axum Router with the # verified fingerprint injected as a request extension. Versions match the workspace lock. -tokio-rustls = "0.26" +tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12", "logging"] } hyper = { version = "1", features = ["server", "http1", "http2"] } hyper-util = { version = "0.1", features = ["server", "server-auto", "tokio", "service"] } tower = { version = "0.5", features = ["util"] } diff --git a/crates/punktfunk-host/src/gamestream/mod.rs b/crates/punktfunk-host/src/gamestream/mod.rs index 4c03c687..1ba86747 100644 --- a/crates/punktfunk-host/src/gamestream/mod.rs +++ b/crates/punktfunk-host/src/gamestream/mod.rs @@ -239,7 +239,7 @@ pub fn serve( let rt = tokio::runtime::Runtime::new().context("build tokio runtime")?; rt.block_on(async move { // rustls needs a process-wide crypto provider before any TLS config is built. - let _ = rustls::crypto::aws_lc_rs::default_provider().install_default(); + let _ = rustls::crypto::ring::default_provider().install_default(); let native_opts = crate::native::native_serve_opts(&native); // The hook runner consumes the live event tail for the host's lifetime โ€” spawned BEFORE // `host.started` is emitted so operator hooks observe the full lifecycle (RFC ยง6). diff --git a/crates/punktfunk-host/src/gamestream/tls.rs b/crates/punktfunk-host/src/gamestream/tls.rs index 8057003d..018163af 100644 --- a/crates/punktfunk-host/src/gamestream/tls.rs +++ b/crates/punktfunk-host/src/gamestream/tls.rs @@ -180,7 +180,7 @@ fn build_server_config( key_pem: &str, mandatory: bool, ) -> Result> { - let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider()); + let provider = Arc::new(rustls::crypto::ring::default_provider()); // PEM parsing via rustls-pki-types (the same `PemObject` path punktfunk-core/quic.rs uses), // so we don't pull the unmaintained `rustls-pemfile`. let certs = CertificateDer::pem_slice_iter(cert_pem.as_bytes())