From c99b83f6b45608407fd31481603b73e7cf7d7a58 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Mon, 24 Jun 2024 16:38:30 +0100 Subject: [PATCH] Adds missing client-side crypto provider init --- runtime/swimos_remote/src/tls/config/mod.rs | 16 ++++------------ runtime/swimos_remote/src/tls/net/client.rs | 4 +++- runtime/swimos_remote/src/tls/net/tests.rs | 10 +++------- server/swimos_server_app/Cargo.toml | 5 +++-- .../swimos_server_app/src/server/builder/mod.rs | 8 ++++++-- 5 files changed, 19 insertions(+), 24 deletions(-) diff --git a/runtime/swimos_remote/src/tls/config/mod.rs b/runtime/swimos_remote/src/tls/config/mod.rs index be97c9564..d58b68404 100644 --- a/runtime/swimos_remote/src/tls/config/mod.rs +++ b/runtime/swimos_remote/src/tls/config/mod.rs @@ -87,8 +87,7 @@ pub struct ServerConfig { /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled, /// if `SSLKEYLOGFILE` is not set, it will do nothing. pub enable_log_file: bool, - /// Process-wide [`CryptoProvider`] that must already have been installed as the default - /// provider. + /// [`CryptoProvider`] to use when building the [`rustls::ServerConfig`]. pub provider: Arc, } @@ -107,22 +106,15 @@ impl ServerConfig { pub struct ClientConfig { pub use_webpki_roots: bool, pub custom_roots: Vec, + pub provider: Arc, } impl ClientConfig { - pub fn new(custom_roots: Vec) -> Self { + pub fn new(custom_roots: Vec, provider: Arc) -> Self { ClientConfig { use_webpki_roots: true, custom_roots, - } - } -} - -impl Default for ClientConfig { - fn default() -> Self { - Self { - use_webpki_roots: true, - custom_roots: vec![], + provider, } } } diff --git a/runtime/swimos_remote/src/tls/net/client.rs b/runtime/swimos_remote/src/tls/net/client.rs index 8159211f4..8bc9555c6 100644 --- a/runtime/swimos_remote/src/tls/net/client.rs +++ b/runtime/swimos_remote/src/tls/net/client.rs @@ -47,6 +47,7 @@ impl RustlsClientNetworking { let ClientConfig { use_webpki_roots, custom_roots, + provider, } = config; let mut root_store = RootCertStore::empty(); if use_webpki_roots { @@ -59,7 +60,8 @@ impl RustlsClientNetworking { } } - let config = rustls::ClientConfig::builder() + let config = rustls::ClientConfig::builder_with_provider(provider) + .with_safe_default_protocol_versions()? .with_root_certificates(root_store) .with_no_client_auth(); diff --git a/runtime/swimos_remote/src/tls/net/tests.rs b/runtime/swimos_remote/src/tls/net/tests.rs index 453c8ca8f..811745992 100644 --- a/runtime/swimos_remote/src/tls/net/tests.rs +++ b/runtime/swimos_remote/src/tls/net/tests.rs @@ -17,6 +17,7 @@ use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration}; use crate::dns::Resolver; use crate::net::{ClientConnections, ConnectionError, Listener, ListenerError, Scheme}; use futures::{future::join, StreamExt}; +use rustls::crypto::aws_lc_rs; use crate::tls::{ CertChain, CertificateFile, ClientConfig, PrivateKey, RustlsClientNetworking, @@ -46,18 +47,12 @@ fn make_server_config() -> ServerConfig { CertificateFile::der(ca_cert), ]); - let provider = rustls::crypto::aws_lc_rs::default_provider(); - provider - .clone() - .install_default() - .expect("Crypto Provider has already been initialised elsewhere."); - let key = PrivateKey::der(server_key); ServerConfig { chain, key, enable_log_file: false, - provider: Arc::new(provider), + provider: Arc::new(aws_lc_rs::default_provider()), } } @@ -67,6 +62,7 @@ fn make_client_config() -> ClientConfig { ClientConfig { use_webpki_roots: true, custom_roots: vec![CertificateFile::der(ca_cert)], + provider: Arc::new(aws_lc_rs::default_provider()), } } diff --git a/server/swimos_server_app/Cargo.toml b/server/swimos_server_app/Cargo.toml index 6d0fb66f6..57cd650a3 100644 --- a/server/swimos_server_app/Cargo.toml +++ b/server/swimos_server_app/Cargo.toml @@ -17,7 +17,7 @@ swimos_runtime = { path = "../../runtime/swimos_runtime" } swimos_messages = { path = "../../runtime/swimos_messages" } swimos_http = { path = "../../runtime/swimos_http" } swimos_introspection = { path = "../swimos_introspection" } -swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"]} +swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"] } bytes = { workspace = true } tokio = { workspace = true, features = ["rt"] } tokio-util = { workspace = true, features = ["codec"] } @@ -30,11 +30,12 @@ uuid = { workspace = true } thiserror = { workspace = true } rand = { workspace = true } url = { workspace = true } -swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true} +swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true } parking_lot = { workspace = true } hyper = { workspace = true, features = ["server", "runtime", "tcp", "http1", "backports"] } pin-project = { workspace = true } percent-encoding = { workspace = true } +rustls = { workspace = true } [dev-dependencies] swimos_recon = { path = "../../api/formats/swimos_recon" } diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs index 22d0753a4..f75bcfd9a 100644 --- a/server/swimos_server_app/src/server/builder/mod.rs +++ b/server/swimos_server_app/src/server/builder/mod.rs @@ -21,6 +21,7 @@ use ratchet::{ deflate::{DeflateConfig, DeflateExtProvider}, NoExtProvider, WebSocketStream, }; +use rustls::crypto::aws_lc_rs; use swimos_api::{ agent::Agent, error::StoreError, @@ -188,8 +189,11 @@ impl ServerBuilder { let networking = RustlsNetworking::new_tls(client, server); Ok(with_store(bind_to, routes, networking, config)?) } else { - let client = - RustlsClientNetworking::try_from_config(resolver.clone(), ClientConfig::default())?; + let provider = Arc::new(aws_lc_rs::default_provider()); + let client = RustlsClientNetworking::try_from_config( + resolver.clone(), + ClientConfig::new(Default::default(), provider), + )?; let server = TokioPlainTextNetworking::new(resolver); let networking = RustlsNetworking::new_plain_text(client, server); Ok(with_store(bind_to, routes, networking, config)?)