Skip to content

chore(tls): use CNG rustls provider on Windows#1929

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 10 commits into
mainfrom
thieman/use-rustls-cng-crypto-windows
Jun 30, 2026
Merged

chore(tls): use CNG rustls provider on Windows#1929
gh-worker-dd-mergequeue-cf854d[bot] merged 10 commits into
mainfrom
thieman/use-rustls-cng-crypto-windows

Conversation

@thieman

@thieman thieman commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Switch Windows Rustls builds to Datadog's CNG-backed Rustls provider.

Key changes

  • Add rustls-cng-crypto from DataDog/rustls-cng-crypto at version 0.2.0, rev 2498c870c949335cb70dc79ed558917b96e4ff72.
  • Install the CNG provider on Windows and keep AWS-LC as the provider on non-Windows platforms.
  • Keep a single fips feature: on non-Windows it enables AWS-LC FIPS mode and Rustls WebPKI's AWS-LC FIPS verifier algorithms, then filters the AWS-LC provider to FIPS-approved suites/groups; on Windows it enables the CNG provider's FIPS mode.
  • Stop enabling Rustls AWS-LC provider features globally so Windows dependency graphs do not pull aws-lc-rs, aws-lc-sys, or aws-lc-fips-sys.
  • Use provider-neutral reqwest Rustls features in panoramic and target-specific rcgen crypto backends.
  • Add a Windows-only saluki-tls provider-construction smoke test.
  • Allow-list the rustls-cng-crypto Git source in deny.toml and regenerate LICENSE-3rdparty.csv for the new dependency graph.
  • Stop packaging AWS-LC FIPS runtime DLLs in Windows FIPS zips because Windows FIPS now uses CNG.

Test plan

  • make fmt
  • cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips
  • cargo tree --workspace --target x86_64-pc-windows-msvc --edges normal -i aws-lc-sys
  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i aws-lc-rs
  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i rustls-cng-crypto
  • cargo tree --locked -p saluki-tls --features fips -i aws-lc-fips-sys (shows non-Windows AWS-LC FIPS graph; local compile requires cmake)
  • cargo tree --locked -p saluki-tls --features fips -e features -i rustls-webpki (shows rustls-webpki/aws-lc-rs-fips)
  • cargo check --workspace
  • cargo check --workspace --tests
  • cargo nextest run -p saluki-tls
  • cargo nextest run -p saluki-io net::client::http::conn::tests::
  • cargo deny check advisories sources
  • make check-licenses
  • Pre-commit checks

@dd-octo-sts dd-octo-sts Bot added area/core Core functionality, event model, etc. area/io General I/O and networking. area/components Sources, transforms, and destinations. area/observability Internal observability of ADP and Saluki. labels Jun 25, 2026
@datadog-datadog-prod-us1

This comment has been minimized.

@pr-commenter

pr-commenter Bot commented Jun 25, 2026

Copy link
Copy Markdown

Regression Detector (Agent Data Plane)

Run ID: 53da9b0f-fef5-46cd-9200-fa64efa5f690
Baseline: 68609904 · Comparison: fc79c87a · diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment (5)

Experiments configured erratic: true are tagged (ignored) and skipped when determining which experiments regressed or improved. Experiments which are detected as erratic at runtime are tagged (erratic) to flag that the run's sample dispersion was high, but their regression / improvement signal still counts.

experiment goal Δ mean % links
quality_gates_rss_dsd_low memory ⚪ +0.31 metrics profiles logs
quality_gates_rss_dsd_ultraheavy memory ⚪ +0.12 metrics profiles logs
quality_gates_rss_idle memory ⚪ +0.08 metrics profiles logs
quality_gates_rss_dsd_heavy memory ⚪ -0.08 metrics profiles logs
quality_gates_rss_dsd_medium memory ⚪ -0.75 metrics profiles logs
Bounds Checks: ✅ Passed (5)
experiment check replicates observed links
quality_gates_rss_dsd_heavy memory_usage 10/10 ✅ 131 MiB ≤ 140 MiB metrics profiles logs
quality_gates_rss_dsd_low memory_usage 10/10 ✅ 42 MiB ≤ 50 MiB metrics profiles logs
quality_gates_rss_dsd_medium memory_usage 10/10 ✅ 64.1 MiB ≤ 75 MiB metrics profiles logs
quality_gates_rss_dsd_ultraheavy memory_usage 10/10 ✅ 191 MiB ≤ 200 MiB metrics profiles logs
quality_gates_rss_idle memory_usage 10/10 ✅ 27.9 MiB ≤ 40 MiB metrics profiles logs
Explanation

A change is flagged as a regression when |Δ mean %| > 5.00% in the regressing direction for its optimization goal AND SMP marks the experiment as a regression (is_regression: true). Improvements use the matching criteria for the improving direction. Experiments configured erratic: true (tagged (ignored)) are skipped outright; experiments detected as erratic at runtime (tagged (erratic)) still count, since that flag describes sample dispersion rather than directional certainty. The Δ mean % cell is colored accordingly: 🟢 = improvement, 🔴 = regression, ⚪ = neutral. Reduction in CPU or memory is an improvement; reduction in ingress throughput is a regression.

@dd-octo-sts dd-octo-sts Bot added the area/ci CI/CD, automated testing, etc. label Jun 25, 2026
@pr-commenter

pr-commenter Bot commented Jun 29, 2026

Copy link
Copy Markdown

Binary Size Analysis (Agent Data Plane)

Baseline: 6860990 · Comparison: fc79c87 · diff
Analysis Configuration: stripped binaries · Pass/Fail Threshold: +5%
Sizes: 40.48 MiB (baseline) vs 40.48 MiB (comparison)
Size Change: -4.08 KiB (-0.01%)

✅ Binary size difference within threshold

Changes by Module
Module File Size Symbols
anon.d41443d9b4e8e19d69b001be3e706067.20.llvm.14570049942322470332 -13.72 KiB 1
anon.32b03eee52bda8d97472acd294c71bf8.1979.llvm.5568725467702660595 +13.72 KiB 1
anon.60ac4bcae015a9609972edcdca639b3b.1.llvm.2935971484734148233 -7.55 KiB 1
anon.32b03eee52bda8d97472acd294c71bf8.1.llvm.5568725467702660595 +7.55 KiB 1
anon.3015a67249c97e7be245550373800190.8.llvm.1255512461083497172 -4.39 KiB 1
anon.7e7e0dac8a0d3502438f43789a3c7bd2.242.llvm.17903347727370837858 +4.39 KiB 1
anon.0cdb6c17c6f65ce5d46409fbadd031b9.210.llvm.2224256004584807259 +3.71 KiB 1
anon.91ae4b17ba2fe0e59c3e749e1bd4209b.3.llvm.4766316480766188126 -3.71 KiB 1
anon.80a84f9759beeb40830337c0ccfaa221.373.llvm.12057969949507315138 -2.98 KiB 1
anon.2da3adcd26fd69d41b4183edaceae88b.373.llvm.3677174280134924382 +2.98 KiB 1
anon.75571037cd0723bbe125d64ea26c3745.2.llvm.6756009048372103969 +2.96 KiB 1
anon.286206aeea79a865cad7926d6839b7a2.2.llvm.15165086171491752223 -2.96 KiB 1
anon.ab0c5abd32eaf0ede61261aaab87271c.280.llvm.10931741840802253537 -2.84 KiB 1
anon.6d29061db9824705752f828c4ba74c22.295.llvm.17616209488140865636 +2.84 KiB 1
anon.59aa888c63eb68dd1db4fd8244239e0e.299.llvm.14795970705444245243 -2.77 KiB 1
anon.2b91e28b07521915e6fee72569c0cd6f.84.llvm.11329147542194752665 +2.77 KiB 1
saluki_io::net::client -2.76 KiB 78
saluki_io::net::util +2.67 KiB 182
anon.2708529afb40265d395cf59584cd72da.50.llvm.8582462321417958988 -2.57 KiB 1
anon.638034b4748d439f270d7a871acc11ce.6.llvm.4010877235441559022 +2.56 KiB 1
Detailed Symbol Changes
    FILE SIZE        VM SIZE    
 --------------  -------------- 
  [NEW] +54.0Ki  [NEW] +53.8Ki    saluki_components::common::datadog::io::run_endpoint_io_loop::_{{closure}}::h275fef14e03b2aa9
  [NEW] +40.2Ki  [NEW] +40.0Ki    _<saluki_components::forwarders::otlp::OtlpForwarder as saluki_core::components::forwarders::Forwarder>::run::_{{closure}}::hca386c06f29dca42
  [NEW] +39.2Ki  [NEW] +39.1Ki    agent_data_plane::cli::run::handle_run_command::_{{closure}}::h59241fead420f3ef
  [NEW] +33.6Ki  [NEW] +33.4Ki    _<saluki_components::transforms::aggregate::Aggregate as saluki_core::components::transforms::Transform>::run::_{{closure}}::haacb4da09c13433b
  [NEW] +29.7Ki  [NEW] +29.6Ki    agent_data_plane::cli::dogstatsd::handle_dogstatsd_command::_{{closure}}::h51ba92cb151010eb
  [NEW] +28.2Ki  [NEW] +28.1Ki    saluki_components::sources::otlp::metrics::translator::OtlpMetricsTranslator::translate_metrics::hb282b9fb7d2b936a
  [NEW] +25.4Ki  [NEW] +25.2Ki    saluki_components::sources::dogstatsd::drive_stream::_{{closure}}::h1f0cc8ccee0093b5
  [NEW] +24.6Ki  [NEW] +24.4Ki    agent_data_plane::internal::remote_agent::run_remote_agent_registration_loop::_{{closure}}::h957cdb2e193950e4
  [NEW] +24.0Ki  [NEW] +23.8Ki    core::ptr::drop_in_place<agent_data_plane::cli::run::handle_run_command::{{closure}}>::h565e9896b575d14c
  [NEW] +23.5Ki  [NEW] +23.3Ki    _<saluki_components::sources::dogstatsd::DogStatsDConfiguration as saluki_core::components::sources::builder::SourceBuilder>::build::_{{closure}}::h65fe989a4e320af5
  -0.0% -3.62Ki  -0.0% -1.03Ki    [44590 Others]
  [DEL] -24.0Ki  [DEL] -23.8Ki    core::ptr::drop_in_place<agent_data_plane::cli::run::handle_run_command::{{closure}}>::h48a35334c9eace0c
  [DEL] -24.0Ki  [DEL] -23.8Ki    _<saluki_components::sources::dogstatsd::DogStatsDConfiguration as saluki_core::components::sources::builder::SourceBuilder>::build::_{{closure}}::he3c398ffe57612cc
  [DEL] -24.6Ki  [DEL] -24.4Ki    agent_data_plane::internal::remote_agent::run_remote_agent_registration_loop::_{{closure}}::ha74974083d627ea7
  [DEL] -25.4Ki  [DEL] -25.2Ki    saluki_components::sources::dogstatsd::drive_stream::_{{closure}}::h77b742b147b1d0fe
  [DEL] -28.2Ki  [DEL] -28.1Ki    saluki_components::sources::otlp::metrics::translator::OtlpMetricsTranslator::translate_metrics::ha68f90eba65acc20
  [DEL] -29.7Ki  [DEL] -29.6Ki    agent_data_plane::cli::dogstatsd::handle_dogstatsd_command::_{{closure}}::h4590010eb3ca1383
  [DEL] -33.6Ki  [DEL] -33.4Ki    _<saluki_components::transforms::aggregate::Aggregate as saluki_core::components::transforms::Transform>::run::_{{closure}}::ha19f43032363b377
  [DEL] -39.2Ki  [DEL] -39.1Ki    agent_data_plane::cli::run::handle_run_command::_{{closure}}::h359f21f5704ce78a
  [DEL] -40.2Ki  [DEL] -40.0Ki    _<saluki_components::forwarders::otlp::OtlpForwarder as saluki_core::components::forwarders::Forwarder>::run::_{{closure}}::h8563f916d92d3ae1
  [DEL] -54.0Ki  [DEL] -53.8Ki    saluki_components::common::datadog::io::run_endpoint_io_loop::_{{closure}}::h41ae646ebde8c1a4
  -0.0% -4.08Ki  -0.0% -1.50Ki    TOTAL

Comment thread lib/saluki-tls/src/lib.rs
{
let mut provider = provider;
provider.cipher_suites.retain(|suite| suite.fips());
provider.kx_groups.retain(|group| group.fips());

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this replacing a fips feature provided by rustls or AWS LC themselves? Can you verify this is correct?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Verified and adjusted the approach after this comment.

This no longer uses/replaces rustls/fips directly. rustls/fips still implies rustls/aws_lc_rs, which would make Windows FIPS builds pull AWS-LC again. Instead, Saluki’s single fips feature now enables the platform provider’s FIPS mode:

  • non-Windows: aws-lc-rs/fips, with Saluki filtering the AWS-LC provider to FIPS-approved cipher suites and key-exchange groups before installing it.
  • Windows: rustls-cng-crypto/fips.

I verified the graph behavior:

  • cargo tree --locked -p saluki-tls --features fips -i aws-lc-fips-sys shows AWS-LC FIPS on the host/non-Windows path.
  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i aws-lc-rs prints nothing.
  • cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips passes.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still necessary with aws-lc-rs/fips enabled?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Yes, this filtering is still necessary with aws-lc-rs/fips enabled.

The reason is that we intentionally do not enable rustls/fips, because rustls/fips implies rustls/aws_lc_rs and would make Windows FIPS pull AWS-LC again. Enabling aws-lc-rs/fips switches the AWS-LC backend to FIPS, but Rustls’ AWS-LC provider only filters its default cipher suites/KX groups behind Rustls’ own cfg(feature = "fips").

I verified this in the Rustls source: rustls::crypto::aws_lc_rs::default_provider() always starts from DEFAULT_CIPHER_SUITES, and the CHACHA suites are excluded only under Rustls’ own feature = "fips". Since this PR avoids rustls/fips, Saluki still needs to retain only suite.fips() and group.fips() before installing the provider.

The other FIPS pieces are handled separately: aws-lc-rs/fips enables the AWS-LC FIPS backend and rustls-webpki/aws-lc-rs-fips makes the WebPKI signature algorithms report FIPS. The local Linux FIPS integration run (30 passed, 0 failed) confirms the resulting ClientConfig::fips() path works at startup/runtime.

Comment thread lib/saluki-tls/src/lib.rs

#[cfg(windows)]
fn default_crypto_provider() -> CryptoProvider {
rustls_cng_crypto::default_provider()

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And for this one, how is FIPS propagated?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] FIPS is propagated through the existing Saluki fips feature now:

fips = ["aws-lc-rs/fips", "rustls-cng-crypto/fips"]

The dependencies are target-scoped, so only the relevant provider exists for the target:

  • aws-lc-rs is a non-Windows dependency and gets its fips feature there.
  • rustls-cng-crypto is a Windows dependency and gets its fips feature there.

On Windows, the pinned rustls-cng-crypto crate uses its fips feature to make default_provider() return its FIPS provider. Verified with:

  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i rustls-cng-crypto shows the CNG provider.
  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i aws-lc-rs prints nothing.

Comment thread Cargo.toml
"tls12",
] }
rustls-cng-crypto = { version = "0.2.0", git = "https://github.com/DataDog/rustls-cng-crypto", rev = "2498c870c949335cb70dc79ed558917b96e4ff72", default-features = false, features = [
"tls12",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Explain inclusion of this feature and omission of any rustls-cng-crypto features you aren't including

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] The workspace dependency enables only tls12 intentionally.

rustls-cng-crypto is declared with default-features = false, so we explicitly opt into tls12 because Saluki supports TLS 1.2 and the existing Rustls workspace dependency also enables tls12. Without this, the CNG provider would only expose TLS 1.3 suites.

The omitted features are intentional:

  • default: not used because it currently only maps to tls12; we keep that explicit for consistency with the rest of the workspace.
  • fips: not enabled globally because FIPS must be controlled by Saluki’s existing fips feature. lib/saluki-tls/Cargo.toml now enables rustls-cng-crypto/fips only when Saluki’s fips feature is enabled.

@thieman thieman marked this pull request as ready for review June 30, 2026 13:52
@thieman thieman requested a review from a team as a code owner June 30, 2026 13:52

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 03051b6f4a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/saluki-tls/Cargo.toml Outdated
[features]
default = []
fips = ["rustls/fips"]
fips = ["aws-lc-rs/fips", "rustls-cng-crypto/fips"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore rustls FIPS policy feature

On non-Windows --features fips builds this no longer enables rustls/fips, so rustls keeps the non-FIPS webpki signature algorithm set while ClientTLSConfigBuilder::build() still rejects any config for which config.fips() is false. Filtering cipher suites and KX groups later does not update signature_verification_algorithms, so FIPS Linux ADP clients fail to construct TLS configs at runtime with “Client TLS configuration is not FIPS compliant.” Keep rustls/fips on non-Windows or explicitly enable/filter the webpki FIPS algorithms.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Fixed in 889ba3a0d7.

This was valid: CryptoProvider::fips() also checks signature_verification_algorithms.fips(), so filtering only cipher suites and KX groups was incomplete.

The single Saluki fips feature now additionally enables rustls-webpki/aws-lc-rs-fips on the non-Windows path:

fips = ["aws-lc-rs/fips", "rustls-cng-crypto/fips", "rustls-webpki/aws-lc-rs-fips"]

rustls-webpki is a non-Windows target dependency, so Windows still does not pull AWS-LC. Verified with:

  • cargo tree --locked -p saluki-tls --features fips -e features -i rustls-webpki showing rustls-webpki feature "aws-lc-rs-fips".
  • cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i aws-lc-rs printing nothing.
  • cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips passing.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Additional local verification after fixing this:

  • Built the Linux FIPS ADP image with make build-adp-image-fips.
  • Built a bundled Datadog Agent image using that FIPS ADP image and tagged it for the Linux integration runtime.
  • Ran basic-startup under the Linux runtime against that FIPS image: PASSED: 1 passed, 0 failed.
  • Ran the full Linux integration suite under the Linux runtime against that FIPS image: PASSED: 30 passed, 0 failed, 30 total.

So the non-Windows FIPS path no longer just compiles by dependency graph; it also boots and passes the Linux integration suite locally. I also rechecked the Windows FIPS graph/compile path separately: Windows --features fips uses rustls-cng-crypto, has no aws-lc-rs edge, and cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips passes.

New-VsBuildToolsJunction
}

# saluki-metadata reads these at build time. Must match the values the Makefile passes through

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Update Windows FIPS packaging for CNG

With this block removed, the build-release-zip-windows-amd64-fips workflow still sets BUILD_FEATURES=fips and this script still calls package-adp-zip.ps1; that packaging script currently treats any FIPS Windows build as aws-lc-backed and throws when no aws_lc_fips_*.dll is found (ci/tooling/package-adp-zip.ps1:79-87). Since the new CNG-backed FIPS build intentionally produces no AWS-LC DLL, the release zip job will fail after cargo succeeds unless the packaging condition is updated.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Fixed in 889ba3a0d7.

Windows FIPS now uses the CNG-backed Rustls provider and intentionally does not produce aws_lc_fips_*.dll, so the packaging script should not require or bundle AWS-LC FIPS DLLs anymore. I removed that block from ci/tooling/package-adp-zip.ps1 and left a short comment explaining that Windows FIPS uses CNG.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Additional verification after removing the AWS-LC FIPS DLL packaging requirement:

  • Windows --features fips dependency graph has no aws-lc-rs / aws-lc-sys edge and does include rustls-cng-crypto.
  • cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips passes locally.

I did not run a Windows runtime boot locally, but the packaging change matches the verified dependency graph: Windows FIPS no longer builds or links AWS-LC FIPS, so no aws_lc_fips_*.dll should be required in the zip. For runtime startup coverage, I did run the Linux FIPS image locally through basic-startup and the full Linux integration suite; both passed.

Comment thread ci/tooling/package-adp-zip.ps1 Outdated
Copy-Item -Force $dll.FullName (Join-Path $StageRoot "bin\$($dll.Name)")
}
}
# Windows FIPS builds use the CNG-backed Rustls provider, so no AWS-LC FIPS runtime DLLs are produced or bundled.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bad comment, remove

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[GPT-5.5] Removed in fc79c87af7.

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 13f34fa into main Jun 30, 2026
86 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the thieman/use-rustls-cng-crypto-windows branch June 30, 2026 17:15
dd-octo-sts Bot pushed a commit that referenced this pull request Jun 30, 2026
## Summary

Switch Windows Rustls builds to Datadog's CNG-backed Rustls provider.

## Key changes

- Add `rustls-cng-crypto` from `DataDog/rustls-cng-crypto` at version `0.2.0`, rev `2498c870c949335cb70dc79ed558917b96e4ff72`.
- Install the CNG provider on Windows and keep AWS-LC as the provider on non-Windows platforms.
- Keep a single `fips` feature: on non-Windows it enables AWS-LC FIPS mode and Rustls WebPKI's AWS-LC FIPS verifier algorithms, then filters the AWS-LC provider to FIPS-approved suites/groups; on Windows it enables the CNG provider's FIPS mode.
- Stop enabling Rustls AWS-LC provider features globally so Windows dependency graphs do not pull `aws-lc-rs`, `aws-lc-sys`, or `aws-lc-fips-sys`.
- Use provider-neutral `reqwest` Rustls features in `panoramic` and target-specific `rcgen` crypto backends.
- Add a Windows-only `saluki-tls` provider-construction smoke test.
- Allow-list the `rustls-cng-crypto` Git source in `deny.toml` and regenerate `LICENSE-3rdparty.csv` for the new dependency graph.
- Stop packaging AWS-LC FIPS runtime DLLs in Windows FIPS zips because Windows FIPS now uses CNG.

## Test plan

- `make fmt`
- `cargo check --locked -p saluki-tls --target x86_64-pc-windows-msvc --features fips`
- `cargo tree --workspace --target x86_64-pc-windows-msvc --edges normal -i aws-lc-sys`
- `cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i aws-lc-rs`
- `cargo tree --locked -p agent-data-plane --target x86_64-pc-windows-msvc --features fips -i rustls-cng-crypto`
- `cargo tree --locked -p saluki-tls --features fips -i aws-lc-fips-sys` *(shows non-Windows AWS-LC FIPS graph; local compile requires cmake)*
- `cargo tree --locked -p saluki-tls --features fips -e features -i rustls-webpki` *(shows `rustls-webpki/aws-lc-rs-fips`)*
- `cargo check --workspace`
- `cargo check --workspace --tests`
- `cargo nextest run -p saluki-tls`
- `cargo nextest run -p saluki-io net::client::http::conn::tests::`
- `cargo deny check advisories sources`
- `make check-licenses`
- Pre-commit checks

Co-authored-by: travis.thieman <travis.thieman@datadoghq.com> 13f34fa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci CI/CD, automated testing, etc. area/components Sources, transforms, and destinations. area/core Core functionality, event model, etc. area/io General I/O and networking. area/observability Internal observability of ADP and Saluki. mergequeue-status: done

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants