From 17a262aace7d87ac575a2a12dfacad8304b6cfa4 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Fri, 17 Jul 2026 22:21:23 +0200 Subject: [PATCH] =?UTF-8?q?fix(host/deps):=20ring-only=20crypto=20?= =?UTF-8?q?=E2=80=94=20drop=20aws-lc-sys=20(fails=20to=20build=20on=20the?= =?UTF-8?q?=20Windows=20CI)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Windows host clippy CI broke building aws-lc-sys 0.41.0 (a heavy C dep that cl.exe fails to compile on the runner). The host was the ONLY thing pulling it: its rcgen used features=["aws_lc_rs"], and bare `rustls`/`tokio-rustls` take the default (aws-lc-rs) backend, and gamestream/{mod,tls}.rs installed the aws_lc_rs crypto provider explicitly — a pre-existing deviation from the project's documented ring-only design (punktfunk-core + the client are ring). Align the host to ring: rcgen/rustls/tokio-rustls pinned to the `ring` feature (keeping tls12 for Moonlight/GameStream TLS-1.2 clients) and the two GameStream provider installs switched to `rustls::crypto::ring::default_provider()`. Both providers offer the same standard TLS 1.2/1.3 suites, so it's transparent to the TLS paths; aws-lc-sys/aws-lc-rs leave the tree entirely (`cargo tree -i aws-lc-sys` => no match). Not caused by the preceding log fix (that touched no crypto deps / the lock). Validated: cargo tree (aws-lc-sys gone, windows target, amf-qsv,qsv features) + .21 host clippy -D warnings (--features nvenc) clean. Owed: GameStream on-glass re-check with a real Moonlight client (low risk — same TLS suites, client is already ring). --- Cargo.lock | 1 - crates/punktfunk-host/Cargo.toml | 9 ++++++--- crates/punktfunk-host/src/gamestream/mod.rs | 2 +- crates/punktfunk-host/src/gamestream/tls.rs | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 960e770b..40b682f5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3670,7 +3670,6 @@ version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2" dependencies = [ - "aws-lc-rs", "pem", "ring", "rustls-pki-types", diff --git a/crates/punktfunk-host/Cargo.toml b/crates/punktfunk-host/Cargo.toml index 97a6a7f4..04204fdc 100644 --- a/crates/punktfunk-host/Cargo.toml +++ b/crates/punktfunk-host/Cargo.toml @@ -80,17 +80,20 @@ base64 = "0.22" # webpki roots (no system cert dependency). Cross-platform so the fetch/parse code is compiled + # checked everywhere even though only the Windows GOG/Xbox providers need it today. ureq = "2" -rcgen = { version = "0.13", default-features = false, features = ["aws_lc_rs", "pem"] } +rcgen = { version = "0.13", default-features = false, features = ["ring", "pem"] } x509-parser = "0.16" # Only used for the plain-HTTP nvhttp listener (`bind().serve()`); HTTPS/mTLS is hand-rolled over # tokio-rustls (axum-server can't surface the peer cert), so we do NOT enable `tls-rustls` — that # feature is what pulled the unmaintained `rustls-pemfile` (security-review dep hygiene). axum-server = "0.8" -rustls = "0.23" +# Ring backend, NOT the (default) aws-lc-rs one — matches punktfunk-core + the client so the whole +# tree stays ring-only (no aws-lc-sys: a heavy C dep that fails to build on the Windows CI runner). +# Keep `tls12` for GameStream/Moonlight clients that negotiate TLS 1.2. +rustls = { version = "0.23", default-features = false, features = ["ring", "std", "tls12", "logging"] } # Manual HTTPS+mTLS serve loop for the mgmt API (axum-server can't surface the peer cert): a # tokio-rustls handshake exposes the client cert, then hyper serves the axum Router with the # verified fingerprint injected as a request extension. Versions match the workspace lock. -tokio-rustls = "0.26" +tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12", "logging"] } hyper = { version = "1", features = ["server", "http1", "http2"] } hyper-util = { version = "0.1", features = ["server", "server-auto", "tokio", "service"] } tower = { version = "0.5", features = ["util"] } diff --git a/crates/punktfunk-host/src/gamestream/mod.rs b/crates/punktfunk-host/src/gamestream/mod.rs index 4c03c687..1ba86747 100644 --- a/crates/punktfunk-host/src/gamestream/mod.rs +++ b/crates/punktfunk-host/src/gamestream/mod.rs @@ -239,7 +239,7 @@ pub fn serve( let rt = tokio::runtime::Runtime::new().context("build tokio runtime")?; rt.block_on(async move { // rustls needs a process-wide crypto provider before any TLS config is built. - let _ = rustls::crypto::aws_lc_rs::default_provider().install_default(); + let _ = rustls::crypto::ring::default_provider().install_default(); let native_opts = crate::native::native_serve_opts(&native); // The hook runner consumes the live event tail for the host's lifetime — spawned BEFORE // `host.started` is emitted so operator hooks observe the full lifecycle (RFC §6). diff --git a/crates/punktfunk-host/src/gamestream/tls.rs b/crates/punktfunk-host/src/gamestream/tls.rs index 8057003d..018163af 100644 --- a/crates/punktfunk-host/src/gamestream/tls.rs +++ b/crates/punktfunk-host/src/gamestream/tls.rs @@ -180,7 +180,7 @@ fn build_server_config( key_pem: &str, mandatory: bool, ) -> Result> { - let provider = Arc::new(rustls::crypto::aws_lc_rs::default_provider()); + let provider = Arc::new(rustls::crypto::ring::default_provider()); // PEM parsing via rustls-pki-types (the same `PemObject` path punktfunk-core/quic.rs uses), // so we don't pull the unmaintained `rustls-pemfile`. let certs = CertificateDer::pem_slice_iter(cert_pem.as_bytes())