diff --git a/src/client.rs b/src/client.rs index 81cbd38..da8a95d 100644 --- a/src/client.rs +++ b/src/client.rs @@ -116,10 +116,14 @@ impl ClientType { config.validate_domain(), socks5, config.timeout(), + config.crypto_provider(), + )?, + None => RawClient::new_ssl( + url.as_str(), + config.validate_domain(), + config.timeout(), + config.crypto_provider(), )?, - None => { - RawClient::new_ssl(url.as_str(), config.validate_domain(), config.timeout())? - } }; Ok(ClientType::SSL(client)) diff --git a/src/config.rs b/src/config.rs index 47da1f9..95a4a5b 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,5 +1,7 @@ use std::time::Duration; +use rustls::crypto::CryptoProvider; + /// Configuration for an electrum client /// /// Refer to [`Client::from_config`] and [`ClientType::from_config`]. @@ -12,6 +14,9 @@ pub struct Config { socks5: Option, /// timeout in seconds, default None (depends on TcpStream default) timeout: Option, + #[cfg(any(feature = "use-rustls", feature = "use-rustls-ring"))] + /// An optional [`CryptoProvider`] for users that don't want either default `aws-lc-rs` or `ring` providers + crypto_provider: Option, /// number of retry if any error, default 1 retry: u8, /// when ssl, validate the domain, default true @@ -60,6 +65,13 @@ impl ConfigBuilder { self } + #[cfg(any(feature = "use-rustls", feature = "use-rustls-ring"))] + /// Sets the custom [`CryptoProvider`]. + pub fn crypto_provider(mut self, crypto_provider: Option) -> Self { + self.config.crypto_provider = crypto_provider; + self + } + /// Sets the retry attempts number pub fn retry(mut self, retry: u8) -> Self { self.config.retry = retry; @@ -135,6 +147,14 @@ impl Config { pub fn builder() -> ConfigBuilder { ConfigBuilder::new() } + + #[cfg(any(feature = "use-rustls", feature = "use-rustls-ring"))] + /// Get the configuration for `crypto_provider` + /// + /// Set this with [`ConfigBuilder::crypto_provider`] + pub fn crypto_provider(&self) -> Option<&CryptoProvider> { + self.crypto_provider.as_ref() + } } impl Default for Config { @@ -144,6 +164,7 @@ impl Default for Config { timeout: None, retry: 1, validate_domain: true, + crypto_provider: None, } } } diff --git a/src/raw_client.rs b/src/raw_client.rs index 1b83c73..4fcdd07 100644 --- a/src/raw_client.rs +++ b/src/raw_client.rs @@ -22,6 +22,10 @@ use bitcoin::{Script, Txid}; #[cfg(feature = "use-openssl")] use openssl::ssl::{SslConnector, SslMethod, SslStream, SslVerifyMode}; +#[cfg(feature = "use-rustls")] +use rustls::crypto::aws_lc_rs::default_provider; +#[cfg(feature = "use-rustls-ring")] +use rustls::crypto::ring::default_provider; #[cfg(all( any( feature = "default", @@ -31,6 +35,7 @@ use openssl::ssl::{SslConnector, SslMethod, SslStream, SslVerifyMode}; not(feature = "use-openssl") ))] use rustls::{ + crypto::CryptoProvider, pki_types::ServerName, pki_types::{Der, TrustAnchor}, ClientConfig, ClientConnection, RootCertStore, StreamOwned, @@ -368,6 +373,7 @@ impl RawClient { socket_addrs: A, validate_domain: bool, timeout: Option, + crypto_provider: Option<&CryptoProvider>, ) -> Result { debug!( "new_ssl socket_addrs.domain():{:?} validate_domain:{} timeout:{:?}", @@ -378,16 +384,27 @@ impl RawClient { if validate_domain { socket_addrs.domain().ok_or(Error::MissingDomain)?; } + + let crypto_provider = match crypto_provider { + Some(provider) => provider.to_owned(), + + #[cfg(feature = "use-rustls")] + None => default_provider(), + + #[cfg(feature = "use-rustls-ring")] + None => default_provider(), + }; + match timeout { Some(timeout) => { let stream = connect_with_total_timeout(socket_addrs.clone(), timeout)?; stream.set_read_timeout(Some(timeout))?; stream.set_write_timeout(Some(timeout))?; - Self::new_ssl_from_stream(socket_addrs, validate_domain, stream) + Self::new_ssl_from_stream(socket_addrs, validate_domain, stream, crypto_provider) } None => { let stream = TcpStream::connect(socket_addrs.clone())?; - Self::new_ssl_from_stream(socket_addrs, validate_domain, stream) + Self::new_ssl_from_stream(socket_addrs, validate_domain, stream, crypto_provider) } } } @@ -397,10 +414,13 @@ impl RawClient { socket_addr: A, validate_domain: bool, tcp_stream: TcpStream, + crypto_provider: CryptoProvider, ) -> Result { use std::convert::TryFrom; - let builder = ClientConfig::builder(); + let builder = ClientConfig::builder_with_provider(crypto_provider.into()) + .with_safe_default_protocol_versions() + .map_err(|e| Error::CouldNotBuildWithSafeDefaultVersion(e))?; let config = if validate_domain { socket_addr.domain().ok_or(Error::MissingDomain)?; @@ -480,6 +500,7 @@ impl RawClient { validate_domain: bool, proxy: &crate::Socks5Config, timeout: Option, + crypto_provider: Option<&CryptoProvider>, ) -> Result, Error> { let target = target_addr.to_target_addr()?; @@ -496,7 +517,22 @@ impl RawClient { stream.get_mut().set_read_timeout(timeout)?; stream.get_mut().set_write_timeout(timeout)?; - RawClient::new_ssl_from_stream(target, validate_domain, stream.into_inner()) + let crypto_provider = match crypto_provider { + Some(provider) => provider.to_owned(), + + #[cfg(feature = "use-rustls")] + None => default_provider(), + + #[cfg(feature = "use-rustls-ring")] + None => default_provider(), + }; + + RawClient::new_ssl_from_stream( + target, + validate_domain, + stream.into_inner(), + crypto_provider, + ) } } diff --git a/src/types.rs b/src/types.rs index 6ecd692..00dcf30 100644 --- a/src/types.rs +++ b/src/types.rs @@ -318,6 +318,9 @@ pub enum Error { #[cfg(any(feature = "use-rustls", feature = "use-rustls-ring"))] /// Could not create a rustls client connection CouldNotCreateConnection(rustls::Error), + #[cfg(any(feature = "use-rustls", feature = "use-rustls-ring"))] + /// Could not create the `ClientConfig` with safe default protocol version + CouldNotBuildWithSafeDefaultVersion(rustls::Error), #[cfg(feature = "use-openssl")] /// Invalid OpenSSL method used @@ -365,6 +368,7 @@ impl Display for Error { Error::MissingDomain => f.write_str("Missing domain while it was explicitly asked to validate it"), Error::CouldntLockReader => f.write_str("Couldn't take a lock on the reader mutex. This means that there's already another reader thread is running"), Error::Mpsc => f.write_str("Broken IPC communication channel: the other thread probably has exited"), + Error::CouldNotBuildWithSafeDefaultVersion(_) => f.write_str("Couldn't build the `ClientConfig` with safe default version"), } } }