Skip to content

feat: Modular crypto #1292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
richarddavison wants to merge 28 commits into
base: main
Choose a base branch
from
Draft

feat: Modular crypto #1292

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
c54bb81
WIP
richarddavison Sep 29, 2025
95c613f
Refactor crypto and HTTP modules to support multiple TLS backends
richarddavison Dec 15, 2025
c29dd0e
CI
richarddavison Dec 15, 2025
d94eee3
Allow all features
richarddavison Dec 15, 2025
00ae1b4
Fix fixtures
richarddavison Dec 16, 2025
a642718
pkg-config
richarddavison Dec 16, 2025
18d810b
Vendored openssl
richarddavison Dec 16, 2025
0b44c08
Fix
richarddavison Dec 16, 2025
dd7330a
Cleanup features
richarddavison Dec 16, 2025
241e108
Tweak features
richarddavison Dec 17, 2025
9c8f534
Do not use macos-14
richarddavison Dec 17, 2025
43e4e58
Adjust features
richarddavison Dec 17, 2025
cb01384
Fix flags
richarddavison Dec 17, 2025
a59d2ab
Cleanup CI
richarddavison Dec 17, 2025
7a3b6fa
Cleanups
richarddavison Dec 18, 2025
0cdb19c
Fix check
richarddavison Dec 18, 2025
5aa5473
Features
richarddavison Dec 18, 2025
1246c11
Allow deadcode for providers with missing algos
richarddavison Dec 19, 2025
7656725
AES CPU feature detection
richarddavison Dec 19, 2025
003563f
Format
richarddavison Dec 19, 2025
476ace9
Clippy
richarddavison Dec 19, 2025
5eef3b6
Disable test
richarddavison Dec 19, 2025
db9db46
Disable some tests
richarddavison Dec 19, 2025
1602691
Disable tests
richarddavison Dec 19, 2025
ce0d72a
Gates
richarddavison Dec 19, 2025
80850f5
Ignore if kill fails due to process already killed
richarddavison Dec 21, 2025
322f76d
Merge branch 'main' into feat/modular-crypto
richarddavison Dec 22, 2025
b5cf8f1
Fix CI
richarddavison Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions .github/workflows/build-modules.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,31 +14,45 @@
toolchain:
required: true
type: string
tls_feature:
required: false
type: string
default: "tls-ring"
Copy link
Collaborator

@Sytten Sytten Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would replace that with

      crypto:
        required: false
        type: string
        default: "ring"


jobs:
build:
name: ${{ inputs.arch }}-${{ inputs.platform }}
name: ${{ inputs.arch }}-${{ inputs.platform }}-${{ inputs.tls_feature }}
runs-on: ${{ inputs.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ inputs.toolchain }}
Copy link
Collaborator

@Sytten Sytten Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then add here:

      - name: Map crypto feature to TLS and crypto features
        id: features
        shell: bash
        run: |
          case "${{ inputs.crypto }}" in
            graviola)
              echo "tls_feature=tls-graviola" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-graviola" >> $GITHUB_OUTPUT
              ;;
            ring)
              echo "tls_feature=tls-ring" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-ring" >> $GITHUB_OUTPUT
              ;;
            openssl)
              echo "tls_feature=tls-openssl" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-openssl" >> $GITHUB_OUTPUT
              ;;
            aws-lc)
              echo "tls_feature=tls-aws-lc" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-ring" >> $GITHUB_OUTPUT
              ;;
            *)
              echo "Unknown crypto feature: ${{ inputs.crypto }}"
              exit 1
              ;;
          esac

You can add other cases if you want to mix and match

- name: Run build crates
Copy link
Collaborator

@Sytten Sytten Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then replace the following with

      - name: Run build crates
        shell: bash
        env:
          RUSTFLAGS: ""
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          crates=$(cargo metadata --no-deps --format-version 1 --quiet | jq -r '.packages[] | select(.manifest_path | contains("modules/")) | .name')
          for crate in $crates; do
            echo "Compiling crate: $crate"
            # Use TLS feature for crates that need TLS, with --no-default-features to avoid conflicts
            if [ "$crate" = "llrt_fetch" ] || [ "$crate" = "llrt_http" ]; then
              cargo build -p "$crate" --no-default-features --features "http1,http2,webpki-roots,compression-rust,$TLS_FEATURE"
            elif [ "$crate" = "llrt_crypto" ]; then
              cargo build -p "$crate" --no-default-features --features "$CRYPTO_FEATURE"
            else
              cargo build -p "$crate"
            fi
          done
      - name: Run build all
        env:
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          cargo build -p llrt_modules --no-default-features --features "base,$TLS_FEATURE,$CRYPTO_FEATURE"
      - name: Run tests all
        env:
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          cargo test -p llrt_modules --no-default-features --features "base,$TLS_FEATURE,$CRYPTO_FEATURE"

shell: bash
env:
RUSTFLAGS: ""
TLS_FEATURE: ${{ inputs.tls_feature }}
run: |
crates=$(cargo metadata --no-deps --format-version 1 --quiet | jq -r '.packages[] | select(.manifest_path | contains("modules/")) | .name')
for crate in $crates; do
echo "Compiling crate: $crate"
cargo build -p "$crate"
# Use TLS feature for crates that need TLS, with --no-default-features to avoid conflicts
if [ "$crate" = "llrt_fetch" ] || [ "$crate" = "llrt_http" ]; then
cargo build -p "$crate" --no-default-features --features "http1,http2,webpki-roots,$TLS_FEATURE"
else
cargo build -p "$crate"
fi
done
- name: Run build all
env:
TLS_FEATURE: ${{ inputs.tls_feature }}
run: |
cargo build -p llrt_modules
cargo build -p llrt_modules --no-default-features --features "base,$TLS_FEATURE"
- name: Run tests all
env:
TLS_FEATURE: ${{ inputs.tls_feature }}
run: |
cargo test -p llrt_modules
cargo test -p llrt_modules --no-default-features --features "base,$TLS_FEATURE"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

To fix the issue, explicitly define minimal permissions for the workflow so the GITHUB_TOKEN is limited to what the job actually needs. In this case, the steps only need to read repository contents (for actions/checkout) and then run local build/test commands, so contents: read is sufficient.

The best way to do this without changing existing functionality is to add a root-level permissions block near the top of .github/workflows/build-modules.yml, applying to all jobs in the workflow. Concretely, insert:

permissions:
  contents: read

between the name: line and the on: section. No other changes (jobs, steps, or additional permissions) are required, since none of the steps perform write operations to GitHub resources. This preserves current behavior while constraining the token.

Suggested changeset 1
.github/workflows/build-modules.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-modules.yml b/.github/workflows/build-modules.yml
--- a/.github/workflows/build-modules.yml
+++ b/.github/workflows/build-modules.yml
@@ -1,4 +1,6 @@
 name: Setup, Build & Test modules
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:
EOF
@@ -1,4 +1,6 @@
name: Setup, Build & Test modules
permissions:
contents: read
on:
workflow_call:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
11 changes: 11 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
required: false
type: string
default: "nightly"
cargo_features:
required: false
type: string
description: "Cargo features to use (e.g. --no-default-features --features crypto-ring-rust,tls-ring,macro)"

jobs:
build:
Expand Down Expand Up @@ -81,11 +85,18 @@ jobs:
toolchain: ${{ inputs.toolchain }}
- name: Run tests
if: inputs.platform != 'windows'
env:
CARGO_FEATURES: ${{ inputs.cargo_features }}
# Set LIMITED_CRYPTO for providers that don't support full SubtleCrypto
LLRT_LIMITED_CRYPTO: ${{ contains(inputs.cargo_features, 'crypto-ring,') || contains(inputs.cargo_features, 'crypto-graviola,') && '1' || '0' }}
run: |
make test-ci 2>&1
- name: Run tests on windows
if: inputs.platform == 'windows'
shell: msys2 {0}
env:
CARGO_FEATURES: ${{ inputs.cargo_features }}
LLRT_LIMITED_CRYPTO: ${{ contains(inputs.cargo_features, 'crypto-ring,') || contains(inputs.cargo_features, 'crypto-graviola,') && '1' || '0' }}
run: |
make test-ci 2>&1
- name: Build Linux binaries
Expand Down
68 changes: 59 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,60 @@ jobs:
for i in {1..5}; do
echo "console.log(123);" > "bundle/js/test$i.js"
done
cargo clippy --all-targets --all-features -- -D warnings
cargo clippy --all-targets --features "lambda,macro,no-sdk,uncompressed,crypto-rust,tls-ring,openssl-vendored" -- -D warnings

build:
needs:
- check
strategy:
fail-fast: ${{ startsWith(github.ref, 'refs/tags/') }}
matrix:
os:
- windows-latest
- ubuntu-latest
- ubuntu-24.04-arm
- macos-latest
crypto:
- name: default
features: ""
- name: crypto-rust+tls-ring
features: "--no-default-features --features crypto-rust,tls-ring,macro"
- name: crypto-rust+tls-aws-lc
features: "--no-default-features --features crypto-rust,tls-aws-lc,macro"
- name: crypto-ring+tls-ring
features: "--no-default-features --features crypto-ring,tls-ring,macro"
- name: crypto-ring-rust+tls-ring
features: "--no-default-features --features crypto-ring-rust,tls-ring,macro"
- name: crypto-graviola+tls-graviola
features: "--no-default-features --features crypto-graviola,tls-graviola,macro"
- name: crypto-graviola-rust+tls-graviola
features: "--no-default-features --features crypto-graviola-rust,tls-graviola,macro"
- name: crypto-openssl+tls-openssl
features: "--no-default-features --features crypto-openssl,tls-openssl,macro"
exclude:
# OpenSSL requires native compilation - exclude from cross-compile targets
- os: ubuntu-latest
crypto:
name: crypto-openssl+tls-openssl
- os: ubuntu-24.04-arm
crypto:
name: crypto-openssl+tls-openssl
- os: windows-latest
crypto:
name: crypto-openssl+tls-openssl
# Graviola only supports aarch64
- os: ubuntu-latest
crypto:
name: crypto-graviola+tls-graviola
- os: ubuntu-latest
crypto:
name: crypto-graviola-rust+tls-graviola
- os: windows-latest
crypto:
name: crypto-graviola+tls-graviola
- os: windows-latest
crypto:
name: crypto-graviola-rust+tls-graviola
include:
- os: windows-latest
platform: windows
Expand Down Expand Up @@ -63,24 +110,26 @@ jobs:
platform: ${{ matrix.platform }}
arch: ${{ matrix.arch }}
toolchain: ${{ matrix.toolchain }}
cargo_features: ${{ matrix.crypto.features }}

modules:
needs:
- check
strategy:
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
tls:
- tls-ring
- tls-aws-lc
- tls-graviola
Copy link
Collaborator

@Sytten Sytten Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing tls-openssl

include:
Copy link
Collaborator

@Sytten Sytten Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsure if you really need the include now?

- os: ubuntu-latest
platform: linux
arch: x86_64
toolchain: stable
- os: ubuntu-24.04-arm
platform: linux
arch: aarch64
toolchain: stable
- os: macos-latest
platform: darwin
arch: x86_64
toolchain: stable
- os: macos-latest
platform: darwin
arch: aarch64
Expand All @@ -95,3 +144,4 @@ jobs:
platform: ${{ matrix.platform }}
arch: ${{ matrix.arch }}
toolchain: ${{ matrix.toolchain }}
tls_feature: ${{ matrix.tls }}
Loading
Loading