feat(tls): AWS Libcrypto Support

tonic/Cargo.toml

@@ -28,27 +28,60 @@ gzip = ["dep:flate2"]
 zstd = ["dep:zstd"]
 default = ["transport", "codegen", "prost"]
 prost = ["dep:prost"]
-tls = ["dep:rustls-pemfile", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "tokio?/macros"]
-tls-roots = ["tls-native-roots"] # Deprecated. Please use `tls-native-roots` instead.
-tls-native-roots = ["tls", "channel", "dep:rustls-native-certs"]
-tls-webpki-roots = ["tls", "channel", "dep:webpki-roots"]
+tls = [
+  "dep:rustls-pemfile",
+  "dep:tokio-rustls",
+  "dep:tokio",
+  "tokio?/rt",
+  "tokio?/macros",
+  "tokio-rustls/ring",
+]
+tls-aws-lc = [
+  "dep:rustls-pemfile",
+  "dep:tokio-rustls",
+  "dep:tokio",
+  "tokio?/rt",
+  "tokio?/macros",
+  "tokio-rustls/aws-lc-rs",
+]
+tls-roots = [
+  "tls-native-roots",
+] # Deprecated. Please use `tls-native-roots` instead.
+tls-native-roots = ["channel", "dep:rustls-native-certs"]
+tls-webpki-roots = ["channel", "dep:webpki-roots"]
 router = ["dep:axum", "dep:tower", "tower?/util"]
 server = [
   "router",
   "dep:async-stream",
   "dep:h2",
-  "dep:hyper", "hyper?/server",
-  "dep:hyper-util", "hyper-util?/service", "hyper-util?/server-auto",
+  "dep:hyper",
+  "hyper?/server",
+  "dep:hyper-util",
+  "hyper-util?/service",
+  "hyper-util?/server-auto",
   "dep:socket2",
-  "dep:tokio", "tokio?/macros", "tokio?/net", "tokio?/time",
+  "dep:tokio",
+  "tokio?/macros",
+  "tokio?/net",
+  "tokio?/time",
   "tokio-stream/net",
-  "dep:tower", "tower?/util", "tower?/limit",
+  "dep:tower",
+  "tower?/util",
+  "tower?/limit",
 ]
 channel = [
-  "dep:hyper", "hyper?/client",
-  "dep:hyper-util", "hyper-util?/client-legacy",
-  "dep:tower", "tower?/balance", "tower?/buffer", "tower?/discover", "tower?/limit", "tower?/util",
-  "dep:tokio", "tokio?/time",
+  "dep:hyper",
+  "hyper?/client",
+  "dep:hyper-util",
+  "hyper-util?/client-legacy",
+  "dep:tower",
+  "tower?/balance",
+  "tower?/buffer",
+  "tower?/discover",
+  "tower?/limit",
+  "tower?/util",
+  "dep:tokio",
+  "tokio?/time",
   "dep:hyper-timeout",
 ]
 transport = ["server", "channel"]
@@ -69,45 +102,50 @@ percent-encoding = "2.1"
 pin-project = "1.0.11"
 tower-layer = "0.3"
 tower-service = "0.3"
-tokio-stream = {version = "0.1.16", default-features = false}
+tokio-stream = { version = "0.1.16", default-features = false }
 
 # prost
-prost = {version = "0.13", default-features = false, features = ["std"], optional = true}
+prost = { version = "0.13", default-features = false, features = [
+  "std",
+], optional = true }
 
 # codegen
-async-trait = {version = "0.1.13", optional = true}
+async-trait = { version = "0.1.13", optional = true }
 
 # transport
-async-stream = {version = "0.3", optional = true}
-h2 = {version = "0.4", optional = true}
-hyper = {version = "1", features = ["http1", "http2"], optional = true}
+async-stream = { version = "0.3", optional = true }
+h2 = { version = "0.4", optional = true }
+hyper = { version = "1", features = ["http1", "http2"], optional = true }
 hyper-util = { version = "0.1.4", features = ["tokio"], optional = true }
 socket2 = { version = "0.5", optional = true, features = ["all"] }
-tokio = {version = "1", default-features = false, optional = true}
-tower = {version = "0.4.7", default-features = false, optional = true}
-axum = {version = "0.7", default-features = false, optional = true}
+tokio = { version = "1", default-features = false, optional = true }
+tower = { version = "0.4.7", default-features = false, optional = true }
+axum = { version = "0.7", default-features = false, optional = true }
 
 # rustls
 rustls-pemfile = { version = "2.0", optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
-tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
+tokio-rustls = { version = "0.26", default-features = false, features = [
+  "logging",
+  "tls12",
+], optional = true }
 webpki-roots = { version = "0.26", optional = true }
 
 # compression
-flate2 = {version = "1.0", optional = true}
+flate2 = { version = "1.0", optional = true }
 zstd = { version = "0.13.0", optional = true }
 
 # channel
-hyper-timeout = {version = "0.5", optional = true}
+hyper-timeout = { version = "0.5", optional = true }
 
 [dev-dependencies]
 bencher = "0.1.5"
 quickcheck = "1.0"
 quickcheck_macros = "1.0"
 rand = "0.8"
 static_assertions = "1.0"
-tokio = {version = "1.0", features = ["rt", "macros"]}
-tower = {version = "0.4.7", features = ["full"]}
+tokio = { version = "1.0", features = ["rt", "macros"] }
+tower = { version = "0.4.7", features = ["full"] }
 
 [package.metadata.docs.rs]
 all-features = true

tonic/src/request.rs

@@ -1,15 +1,15 @@
 use crate::metadata::{MetadataMap, MetadataValue};
 #[cfg(feature = "server")]
 use crate::transport::server::TcpConnectInfo;
-#[cfg(all(feature = "server", feature = "tls"))]
+#[cfg(all(feature = "server", any(feature = "tls", feature = "tls-aws-lc")))]
 use crate::transport::server::TlsConnectInfo;
 use http::Extensions;
 #[cfg(feature = "server")]
 use std::net::SocketAddr;
-#[cfg(all(feature = "server", feature = "tls"))]
+#[cfg(all(feature = "server", any(feature = "tls", feature = "tls-aws-lc")))]
 use std::sync::Arc;
 use std::time::Duration;
-#[cfg(all(feature = "server", feature = "tls"))]
+#[cfg(all(feature = "server", any(feature = "tls", feature = "tls-aws-lc")))]
 use tokio_rustls::rustls::pki_types::CertificateDer;
 use tokio_stream::Stream;
 
@@ -218,7 +218,7 @@ impl<T> Request<T> {
             .get::<TcpConnectInfo>()
             .and_then(|i| i.local_addr());
 
-        #[cfg(feature = "tls")]
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
         let addr = addr.or_else(|| {
             self.extensions()
                 .get::<TlsConnectInfo<TcpConnectInfo>>()
@@ -240,7 +240,7 @@ impl<T> Request<T> {
             .get::<TcpConnectInfo>()
             .and_then(|i| i.remote_addr());
 
-        #[cfg(feature = "tls")]
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
         let addr = addr.or_else(|| {
             self.extensions()
                 .get::<TlsConnectInfo<TcpConnectInfo>>()
@@ -256,7 +256,7 @@ impl<T> Request<T> {
     /// and is mostly used for mTLS. This currently only returns
     /// `Some` on the server side of the `transport` server with
     /// TLS enabled connections.
-    #[cfg(all(feature = "server", feature = "tls"))]
+    #[cfg(all(feature = "server", any(feature = "tls", feature = "tls-aws-lc")))]
     pub fn peer_certs(&self) -> Option<Arc<Vec<CertificateDer<'static>>>> {
         self.extensions()
             .get::<TlsConnectInfo<TcpConnectInfo>>()

tonic/src/transport/channel/endpoint.rs

@@ -1,8 +1,8 @@
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 use super::service::TlsConnector;
 use super::service::{self, Executor, SharedExec};
 use super::Channel;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 use super::ClientTlsConfig;
 use crate::transport::Error;
 use bytes::Bytes;
@@ -23,7 +23,7 @@ pub struct Endpoint {
     pub(crate) timeout: Option<Duration>,
     pub(crate) concurrency_limit: Option<usize>,
     pub(crate) rate_limit: Option<(u64, Duration)>,
-    #[cfg(feature = "tls")]
+    #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
     pub(crate) tls: Option<TlsConnector>,
     pub(crate) buffer_size: Option<usize>,
     pub(crate) init_stream_window_size: Option<u32>,
@@ -49,7 +49,7 @@ impl Endpoint {
         D::Error: Into<crate::Error>,
     {
         let me = dst.try_into().map_err(|e| Error::from_source(e.into()))?;
-        #[cfg(feature = "tls")]
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
         if me.uri.scheme() == Some(&http::uri::Scheme::HTTPS) {
             return me.tls_config(ClientTlsConfig::new().with_enabled_roots());
         }
@@ -244,7 +244,7 @@ impl Endpoint {
     }
 
     /// Configures TLS for the endpoint.
-    #[cfg(feature = "tls")]
+    #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
     pub fn tls_config(self, tls_config: ClientTlsConfig) -> Result<Self, Error> {
         Ok(Endpoint {
             tls: Some(
@@ -320,7 +320,7 @@ impl Endpoint {
     pub(crate) fn connector<C>(&self, c: C) -> service::Connector<C> {
         service::Connector::new(
             c,
-            #[cfg(feature = "tls")]
+            #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
             self.tls.clone(),
         )
     }
@@ -445,7 +445,7 @@ impl From<Uri> for Endpoint {
             concurrency_limit: None,
             rate_limit: None,
             timeout: None,
-            #[cfg(feature = "tls")]
+            #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
             tls: None,
             buffer_size: None,
             init_stream_window_size: None,

tonic/src/transport/channel/mod.rs

@@ -2,11 +2,11 @@
 
 mod endpoint;
 pub(crate) mod service;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 mod tls;
 
 pub use endpoint::Endpoint;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 pub use tls::ClientTlsConfig;
 
 use self::service::{Connection, DynamicServiceStream, Executor, SharedExec};

tonic/src/transport/channel/service/connector.rs

@@ -1,30 +1,33 @@
 use super::BoxedIo;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 use super::TlsConnector;
 use crate::transport::channel::BoxFuture;
 use crate::ConnectError;
 use http::Uri;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 use std::fmt;
 use std::task::{Context, Poll};
 
 use hyper::rt;
 
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 use hyper_util::rt::TokioIo;
 use tower_service::Service;
 
 pub(crate) struct Connector<C> {
     inner: C,
-    #[cfg(feature = "tls")]
+    #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
     tls: Option<TlsConnector>,
 }
 
 impl<C> Connector<C> {
-    pub(crate) fn new(inner: C, #[cfg(feature = "tls")] tls: Option<TlsConnector>) -> Self {
+    pub(crate) fn new(
+        inner: C,
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))] tls: Option<TlsConnector>,
+    ) -> Self {
         Self {
             inner,
-            #[cfg(feature = "tls")]
+            #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
             tls,
         }
     }
@@ -48,18 +51,18 @@ where
     }
 
     fn call(&mut self, uri: Uri) -> Self::Future {
-        #[cfg(feature = "tls")]
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
         let tls = self.tls.clone();
 
-        #[cfg(feature = "tls")]
+        #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
         let is_https = uri.scheme_str() == Some("https");
         let connect = self.inner.call(uri);
 
         Box::pin(async move {
             async {
                 let io = connect.await?;
 
-                #[cfg(feature = "tls")]
+                #[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
                 if is_https {
                     return if let Some(tls) = tls {
                         let io = tls.connect(TokioIo::new(io)).await?;
@@ -78,17 +81,17 @@ where
 }
 
 /// Error returned when trying to connect to an HTTPS endpoint without TLS enabled.
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 #[derive(Debug)]
 pub(crate) struct HttpsUriWithoutTlsSupport(());
 
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 impl fmt::Display for HttpsUriWithoutTlsSupport {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "Connecting to HTTPS without TLS enabled")
     }
 }
 
 // std::error::Error only requires a type to impl Debug and Display
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 impl std::error::Error for HttpsUriWithoutTlsSupport {}

tonic/src/transport/channel/service/mod.rs

@@ -22,7 +22,7 @@ pub(crate) use self::connector::Connector;
 mod executor;
 pub(super) use self::executor::{Executor, SharedExec};
 
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 mod tls;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 pub(super) use self::tls::TlsConnector;

tonic/src/transport/mod.rs

@@ -96,7 +96,7 @@ pub mod server;
 
 mod error;
 mod service;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 mod tls;
 
 #[doc(inline)]
@@ -109,15 +109,15 @@ pub use self::server::Server;
 /// Deprecated. Please use [`crate::status::TimeoutExpired`] instead.
 pub use crate::status::TimeoutExpired;
 
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 pub use self::tls::Certificate;
 pub use hyper::{body::Body, Uri};
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 pub use tokio_rustls::rustls::pki_types::CertificateDer;
 
 #[cfg(all(feature = "channel", feature = "tls"))]
 pub use self::channel::ClientTlsConfig;
-#[cfg(all(feature = "server", feature = "tls"))]
+#[cfg(all(feature = "server", any(feature = "tls", feature = "tls-aws-lc")))]
 pub use self::server::ServerTlsConfig;
-#[cfg(feature = "tls")]
+#[cfg(any(feature = "tls", feature = "tls-aws-lc"))]
 pub use self::tls::Identity;