Adds missing client-side crypto provider init

swimos · Jun 24, 2024 · c99b83f · c99b83f
1 parent 0a4851e
commit c99b83f
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 24 deletions.
diff --git a/runtime/swimos_remote/src/tls/config/mod.rs b/runtime/swimos_remote/src/tls/config/mod.rs
@@ -87,8 +87,7 @@ pub struct ServerConfig {
     /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled,
     /// if `SSLKEYLOGFILE` is not set, it will do nothing.
     pub enable_log_file: bool,
-    /// Process-wide [`CryptoProvider`] that must already have been installed as the default
-    /// provider.
+    /// [`CryptoProvider`] to use when building the [`rustls::ServerConfig`].
     pub provider: Arc<CryptoProvider>,
 }
 
@@ -107,22 +106,15 @@ impl ServerConfig {
 pub struct ClientConfig {
     pub use_webpki_roots: bool,
     pub custom_roots: Vec<CertificateFile>,
+    pub provider: Arc<CryptoProvider>,
 }
 
 impl ClientConfig {
-    pub fn new(custom_roots: Vec<CertificateFile>) -> Self {
+    pub fn new(custom_roots: Vec<CertificateFile>, provider: Arc<CryptoProvider>) -> Self {
         ClientConfig {
             use_webpki_roots: true,
             custom_roots,
-        }
-    }
-}
-
-impl Default for ClientConfig {
-    fn default() -> Self {
-        Self {
-            use_webpki_roots: true,
-            custom_roots: vec![],
+            provider,
         }
     }
 }
diff --git a/runtime/swimos_remote/src/tls/net/client.rs b/runtime/swimos_remote/src/tls/net/client.rs
@@ -47,6 +47,7 @@ impl RustlsClientNetworking {
         let ClientConfig {
             use_webpki_roots,
             custom_roots,
+            provider,
         } = config;
         let mut root_store = RootCertStore::empty();
         if use_webpki_roots {
@@ -59,7 +60,8 @@ impl RustlsClientNetworking {
             }
         }
 
-        let config = rustls::ClientConfig::builder()
+        let config = rustls::ClientConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()?
             .with_root_certificates(root_store)
             .with_no_client_auth();
 

diff --git a/runtime/swimos_remote/src/tls/net/tests.rs b/runtime/swimos_remote/src/tls/net/tests.rs
@@ -17,6 +17,7 @@ use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration};
 use crate::dns::Resolver;
 use crate::net::{ClientConnections, ConnectionError, Listener, ListenerError, Scheme};
 use futures::{future::join, StreamExt};
+use rustls::crypto::aws_lc_rs;
 
 use crate::tls::{
     CertChain, CertificateFile, ClientConfig, PrivateKey, RustlsClientNetworking,
@@ -46,18 +47,12 @@ fn make_server_config() -> ServerConfig {
         CertificateFile::der(ca_cert),
     ]);
 
-    let provider = rustls::crypto::aws_lc_rs::default_provider();
-    provider
-        .clone()
-        .install_default()
-        .expect("Crypto Provider has already been initialised elsewhere.");
-
     let key = PrivateKey::der(server_key);
     ServerConfig {
         chain,
         key,
         enable_log_file: false,
-        provider: Arc::new(provider),
+        provider: Arc::new(aws_lc_rs::default_provider()),
     }
 }
 
@@ -67,6 +62,7 @@ fn make_client_config() -> ClientConfig {
     ClientConfig {
         use_webpki_roots: true,
         custom_roots: vec![CertificateFile::der(ca_cert)],
+        provider: Arc::new(aws_lc_rs::default_provider()),
     }
 }
 

diff --git a/server/swimos_server_app/Cargo.toml b/server/swimos_server_app/Cargo.toml
@@ -17,7 +17,7 @@ swimos_runtime = { path = "../../runtime/swimos_runtime" }
 swimos_messages = { path = "../../runtime/swimos_messages" }
 swimos_http = { path = "../../runtime/swimos_http" }
 swimos_introspection = { path = "../swimos_introspection" }
-swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"]}
+swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"] }
 bytes = { workspace = true }
 tokio = { workspace = true, features = ["rt"] }
 tokio-util = { workspace = true, features = ["codec"] }
@@ -30,11 +30,12 @@ uuid = { workspace = true }
 thiserror = { workspace = true }
 rand = { workspace = true }
 url = { workspace = true }
-swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true}
+swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true }
 parking_lot = { workspace = true }
 hyper = { workspace = true, features = ["server", "runtime", "tcp", "http1", "backports"] }
 pin-project = { workspace = true }
 percent-encoding = { workspace = true }
+rustls = { workspace = true }
 
 [dev-dependencies]
 swimos_recon = { path = "../../api/formats/swimos_recon" }

diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs
@@ -21,6 +21,7 @@ use ratchet::{
     deflate::{DeflateConfig, DeflateExtProvider},
     NoExtProvider, WebSocketStream,
 };
+use rustls::crypto::aws_lc_rs;
 use swimos_api::{
     agent::Agent,
     error::StoreError,
@@ -188,8 +189,11 @@ impl ServerBuilder {
             let networking = RustlsNetworking::new_tls(client, server);
             Ok(with_store(bind_to, routes, networking, config)?)
         } else {
-            let client =
-                RustlsClientNetworking::try_from_config(resolver.clone(), ClientConfig::default())?;
+            let provider = Arc::new(aws_lc_rs::default_provider());
+            let client = RustlsClientNetworking::try_from_config(
+                resolver.clone(),
+                ClientConfig::new(Default::default(), provider),
+            )?;
             let server = TokioPlainTextNetworking::new(resolver);
             let networking = RustlsNetworking::new_plain_text(client, server);
             Ok(with_store(bind_to, routes, networking, config)?)