Merge ec0a9bd8a1 into 513e374b2e

This requires taking a patch on an unreleased aws-lc-rs fix that
increases a `MAX_HKDF_INFO_LEN` constant beyond 80 bytes. In
practice when computing ECH confirmation the info fed through the HKDF
interface can be larger than 80 bytes and without this change the
operation fails with an output length error.

Cargo.lock

@@ -338,9 +338,8 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 
 [[package]]
 name = "aws-lc-fips-sys"
-version = "0.12.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e872633d0107cd8f882b08dd9a6ee0e5bf0511da083778f666e325d597069ae"
+version = "0.12.7"
+source = "git+https://github.com/cpu/aws-lc-rs?rev=8758425d56663f48fac57a50ed21d5c904ca27c8#8758425d56663f48fac57a50ed21d5c904ca27c8"
 dependencies = [
  "bindgen",
  "cmake",
@@ -353,8 +352,7 @@ dependencies = [
 [[package]]
 name = "aws-lc-rs"
 version = "1.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5509d663b2c00ee421bda8d6a24d6c42e15970957de1701b8df9f6fbe5707df1"
+source = "git+https://github.com/cpu/aws-lc-rs?rev=8758425d56663f48fac57a50ed21d5c904ca27c8#8758425d56663f48fac57a50ed21d5c904ca27c8"
 dependencies = [
  "aws-lc-fips-sys",
  "aws-lc-sys",
@@ -367,8 +365,7 @@ dependencies = [
 [[package]]
 name = "aws-lc-sys"
 version = "0.15.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d5d317212c2a78d86ba6622e969413c38847b62f48111f8b763af3dac2f9840"
+source = "git+https://github.com/cpu/aws-lc-rs?rev=8758425d56663f48fac57a50ed21d5c904ca27c8#8758425d56663f48fac57a50ed21d5c904ca27c8"
 dependencies = [
  "bindgen",
  "cc",

Cargo.toml

@@ -31,3 +31,6 @@ lto = "yes"
 # TODO(XXX): Remove this once 0.25 is released - we want the ECH fixes from
 #            https://github.com/hickory-dns/hickory-dns/pull/2183
 hickory-resolver = { git = "https://github.com/hickory-dns/hickory-dns", rev = "6334a01430088ead8642cafaee592ec7bf49831f" }
+
+# TODO(XXX): Remove this once upstream HKDF info size limit increased.
+aws-lc-rs = { git = "https://github.com/cpu/aws-lc-rs", rev = "8758425d56663f48fac57a50ed21d5c904ca27c8" }

bogo/config.json.in

@@ -32,7 +32,6 @@
     "CertCompression*": "not implemented",
     "DuplicateCertCompressionExt*": "",
     "TLS-ECH-Server*": "ECH server support NYI",
-#ifdef RING
     "TLS-ECH-Client-ExpectECHOuterExtensions": "ECH extension compression NYI",
     "TLS-ECH-Client-CompressSupportedVersions": "ECH extension compression NYI",
     "TLS-ECH-Client-SelectECHConfig": "TODO(XXX): re-enable after upstream bogo fix",
@@ -53,9 +52,6 @@
     "TLS-ECH-GREASE-Client-TLS13-HelloRetryRequest": "TODO(XXX): fix this test",
     "TLS-ECH-Client-GREASE-IgnoreHRRExtension": "TODO(XXX): fix this test",
 #endif /* 1 */
-#else
-    "TLS-ECH-*": "TODO(XXXX): figure this out...",
-#endif /* ring */
     "ALPS-*": "",
     "*Kyber*": "",
     "ExtraClientEncryptedExtension-*": "we don't implement ALPS",

rustls/src/crypto/aws_lc_rs/mod.rs

@@ -114,7 +114,7 @@ pub static DEFAULT_CIPHER_SUITES: &[SupportedCipherSuite] = &[
     tls12::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 ];
 
-/// A list of all the cipher suites supported by the rustls *ring* provider.
+/// A list of all the cipher suites supported by the rustls aws-lc-rs provider.
 pub static ALL_CIPHER_SUITES: &[SupportedCipherSuite] = &[
     // TLS1.3 suites
     tls13::TLS13_AES_256_GCM_SHA384,
@@ -149,7 +149,7 @@ pub mod cipher_suite {
 }
 
 /// A `WebPkiSupportedAlgorithms` value that reflects webpki's capabilities when
-/// compiled against *ring*.
+/// compiled against aws-lc-rs.
 static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms {
     all: &[
         webpki_algs::ECDSA_P256_SHA256,