From c99b83f6b45608407fd31481603b73e7cf7d7a58 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Mon, 24 Jun 2024 16:38:30 +0100 Subject: [PATCH 1/7] Adds missing client-side crypto provider init --- runtime/swimos_remote/src/tls/config/mod.rs | 16 ++++------------ runtime/swimos_remote/src/tls/net/client.rs | 4 +++- runtime/swimos_remote/src/tls/net/tests.rs | 10 +++------- server/swimos_server_app/Cargo.toml | 5 +++-- .../swimos_server_app/src/server/builder/mod.rs | 8 ++++++-- 5 files changed, 19 insertions(+), 24 deletions(-) diff --git a/runtime/swimos_remote/src/tls/config/mod.rs b/runtime/swimos_remote/src/tls/config/mod.rs index be97c9564..d58b68404 100644 --- a/runtime/swimos_remote/src/tls/config/mod.rs +++ b/runtime/swimos_remote/src/tls/config/mod.rs @@ -87,8 +87,7 @@ pub struct ServerConfig { /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled, /// if `SSLKEYLOGFILE` is not set, it will do nothing. pub enable_log_file: bool, - /// Process-wide [`CryptoProvider`] that must already have been installed as the default - /// provider. + /// [`CryptoProvider`] to use when building the [`rustls::ServerConfig`]. pub provider: Arc, } @@ -107,22 +106,15 @@ impl ServerConfig { pub struct ClientConfig { pub use_webpki_roots: bool, pub custom_roots: Vec, + pub provider: Arc, } impl ClientConfig { - pub fn new(custom_roots: Vec) -> Self { + pub fn new(custom_roots: Vec, provider: Arc) -> Self { ClientConfig { use_webpki_roots: true, custom_roots, - } - } -} - -impl Default for ClientConfig { - fn default() -> Self { - Self { - use_webpki_roots: true, - custom_roots: vec![], + provider, } } } diff --git a/runtime/swimos_remote/src/tls/net/client.rs b/runtime/swimos_remote/src/tls/net/client.rs index 8159211f4..8bc9555c6 100644 --- a/runtime/swimos_remote/src/tls/net/client.rs +++ b/runtime/swimos_remote/src/tls/net/client.rs @@ -47,6 +47,7 @@ impl RustlsClientNetworking { let ClientConfig { use_webpki_roots, custom_roots, + provider, } = config; let mut root_store = RootCertStore::empty(); if use_webpki_roots { @@ -59,7 +60,8 @@ impl RustlsClientNetworking { } } - let config = rustls::ClientConfig::builder() + let config = rustls::ClientConfig::builder_with_provider(provider) + .with_safe_default_protocol_versions()? .with_root_certificates(root_store) .with_no_client_auth(); diff --git a/runtime/swimos_remote/src/tls/net/tests.rs b/runtime/swimos_remote/src/tls/net/tests.rs index 453c8ca8f..811745992 100644 --- a/runtime/swimos_remote/src/tls/net/tests.rs +++ b/runtime/swimos_remote/src/tls/net/tests.rs @@ -17,6 +17,7 @@ use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration}; use crate::dns::Resolver; use crate::net::{ClientConnections, ConnectionError, Listener, ListenerError, Scheme}; use futures::{future::join, StreamExt}; +use rustls::crypto::aws_lc_rs; use crate::tls::{ CertChain, CertificateFile, ClientConfig, PrivateKey, RustlsClientNetworking, @@ -46,18 +47,12 @@ fn make_server_config() -> ServerConfig { CertificateFile::der(ca_cert), ]); - let provider = rustls::crypto::aws_lc_rs::default_provider(); - provider - .clone() - .install_default() - .expect("Crypto Provider has already been initialised elsewhere."); - let key = PrivateKey::der(server_key); ServerConfig { chain, key, enable_log_file: false, - provider: Arc::new(provider), + provider: Arc::new(aws_lc_rs::default_provider()), } } @@ -67,6 +62,7 @@ fn make_client_config() -> ClientConfig { ClientConfig { use_webpki_roots: true, custom_roots: vec![CertificateFile::der(ca_cert)], + provider: Arc::new(aws_lc_rs::default_provider()), } } diff --git a/server/swimos_server_app/Cargo.toml b/server/swimos_server_app/Cargo.toml index 6d0fb66f6..57cd650a3 100644 --- a/server/swimos_server_app/Cargo.toml +++ b/server/swimos_server_app/Cargo.toml @@ -17,7 +17,7 @@ swimos_runtime = { path = "../../runtime/swimos_runtime" } swimos_messages = { path = "../../runtime/swimos_messages" } swimos_http = { path = "../../runtime/swimos_http" } swimos_introspection = { path = "../swimos_introspection" } -swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"]} +swimos_remote = { path = "../../runtime/swimos_remote", features = ["tls"] } bytes = { workspace = true } tokio = { workspace = true, features = ["rt"] } tokio-util = { workspace = true, features = ["codec"] } @@ -30,11 +30,12 @@ uuid = { workspace = true } thiserror = { workspace = true } rand = { workspace = true } url = { workspace = true } -swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true} +swimos_rocks_store = { path = "../../runtime/swimos_rocks_store", optional = true } parking_lot = { workspace = true } hyper = { workspace = true, features = ["server", "runtime", "tcp", "http1", "backports"] } pin-project = { workspace = true } percent-encoding = { workspace = true } +rustls = { workspace = true } [dev-dependencies] swimos_recon = { path = "../../api/formats/swimos_recon" } diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs index 22d0753a4..f75bcfd9a 100644 --- a/server/swimos_server_app/src/server/builder/mod.rs +++ b/server/swimos_server_app/src/server/builder/mod.rs @@ -21,6 +21,7 @@ use ratchet::{ deflate::{DeflateConfig, DeflateExtProvider}, NoExtProvider, WebSocketStream, }; +use rustls::crypto::aws_lc_rs; use swimos_api::{ agent::Agent, error::StoreError, @@ -188,8 +189,11 @@ impl ServerBuilder { let networking = RustlsNetworking::new_tls(client, server); Ok(with_store(bind_to, routes, networking, config)?) } else { - let client = - RustlsClientNetworking::try_from_config(resolver.clone(), ClientConfig::default())?; + let provider = Arc::new(aws_lc_rs::default_provider()); + let client = RustlsClientNetworking::try_from_config( + resolver.clone(), + ClientConfig::new(Default::default(), provider), + )?; let server = TokioPlainTextNetworking::new(resolver); let networking = RustlsNetworking::new_plain_text(client, server); Ok(with_store(bind_to, routes, networking, config)?) From 6082bc7450c3280f93b865fe2c3bbf6fdb5b3e9d Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 11:24:12 +0100 Subject: [PATCH 2/7] Resolves PR comments --- client/swimos_client/Cargo.toml | 5 +- client/swimos_client/src/lib.rs | 119 ++++++++++++------ runtime/swimos_remote/Cargo.toml | 2 + runtime/swimos_remote/src/tls/config/mod.rs | 12 +- runtime/swimos_remote/src/tls/mod.rs | 37 ++++++ runtime/swimos_remote/src/tls/net/client.rs | 5 +- runtime/swimos_remote/src/tls/net/server.rs | 11 +- runtime/swimos_remote/src/tls/net/tests.rs | 10 +- server/swimos_server_app/Cargo.toml | 4 +- .../src/server/builder/mod.rs | 66 +++++++++- swimos/Cargo.toml | 4 +- 11 files changed, 201 insertions(+), 74 deletions(-) diff --git a/client/swimos_client/Cargo.toml b/client/swimos_client/Cargo.toml index bf9e0e1cf..9053e2e6d 100644 --- a/client/swimos_client/Cargo.toml +++ b/client/swimos_client/Cargo.toml @@ -5,9 +5,10 @@ edition = "2021" [features] default = [] -tls = ["swimos_remote/tls"] deflate = ["runtime/deflate"] trust_dns = ["swimos_runtime/trust_dns"] +ring_provider = ["swimos_remote/ring_provider"] +aws_lc_rs_provider = ["swimos_remote/aws_lc_rs_provider"] [dependencies] runtime = { path = "../runtime" } @@ -25,4 +26,4 @@ tokio = { workspace = true, features = ["sync"] } futures = { workspace = true } futures-util = { workspace = true } tracing = { workspace = true } - +rustls = { workspace = true } diff --git a/client/swimos_client/src/lib.rs b/client/swimos_client/src/lib.rs index fc7ef4693..fa5fe1c36 100644 --- a/client/swimos_client/src/lib.rs +++ b/client/swimos_client/src/lib.rs @@ -12,101 +12,138 @@ // See the License for the specific language governing permissions and // limitations under the License. -#[cfg(not(feature = "deflate"))] -use ratchet::NoExtProvider; -use ratchet::WebSocketStream; -use std::marker::PhantomData; -use std::num::NonZeroUsize; -use swimos_remote::websocket::RatchetClient; +use std::{marker::PhantomData, num::NonZeroUsize, sync::Arc}; use futures_util::future::BoxFuture; -#[cfg(feature = "deflate")] -use ratchet::deflate::{DeflateConfig, DeflateExtProvider}; +use ratchet::{ + deflate::{DeflateConfig, DeflateExtProvider}, + WebSocketStream, +}; +use rustls::crypto::CryptoProvider; +use tokio::{sync::mpsc, sync::mpsc::error::SendError, sync::oneshot::error::RecvError}; +pub use url::Url; + use runtime::{ start_runtime, ClientConfig, DownlinkRuntimeError, RawHandle, Transport, WebSocketConfig, }; pub use runtime::{CommandError, Commander, RemotePath}; -use std::sync::Arc; pub use swimos_client_api::DownlinkConfig; -pub use swimos_downlink::lifecycle::{ - BasicEventDownlinkLifecycle, BasicMapDownlinkLifecycle, BasicValueDownlinkLifecycle, - EventDownlinkLifecycle, MapDownlinkLifecycle, ValueDownlinkLifecycle, +pub use swimos_downlink::{ + lifecycle::BasicEventDownlinkLifecycle, lifecycle::BasicMapDownlinkLifecycle, + lifecycle::BasicValueDownlinkLifecycle, lifecycle::EventDownlinkLifecycle, + lifecycle::MapDownlinkLifecycle, lifecycle::ValueDownlinkLifecycle, }; use swimos_downlink::{ ChannelError, DownlinkTask, EventDownlinkModel, MapDownlinkHandle, MapDownlinkModel, MapKey, MapValue, NotYetSyncedError, ValueDownlinkModel, ValueDownlinkSet, }; use swimos_form::Form; -use swimos_remote::dns::Resolver; -use swimos_remote::plain::TokioPlainTextNetworking; -#[cfg(feature = "tls")] -use swimos_remote::tls::{ClientConfig as TlsConfig, RustlsClientNetworking, TlsError}; -use swimos_remote::ClientConnections; +pub use swimos_remote::tls::ClientConfig as TlsConfig; +use swimos_remote::tls::TlsError; +use swimos_remote::{ + dns::Resolver, + plain::TokioPlainTextNetworking, + tls::{CryptoProviderConfig, RustlsClientNetworking}, + websocket::RatchetClient, + ClientConnections, +}; use swimos_runtime::downlink::{DownlinkOptions, DownlinkRuntimeConfig}; -use swimos_utilities::trigger; -use swimos_utilities::trigger::promise; -use tokio::sync::mpsc; -use tokio::sync::mpsc::error::SendError; -use tokio::sync::oneshot::error::RecvError; -pub use url::Url; +use swimos_utilities::{trigger, trigger::promise}; pub type DownlinkOperationResult = Result; -#[derive(Debug, Default)] +#[derive(Default)] pub struct SwimClientBuilder { - config: ClientConfig, + client_config: ClientConfig, } impl SwimClientBuilder { - pub fn new(config: ClientConfig) -> SwimClientBuilder { - SwimClientBuilder { config } + pub fn new(client_config: ClientConfig) -> SwimClientBuilder { + SwimClientBuilder { client_config } } /// Sets the websocket configuration. pub fn set_websocket_config(mut self, to: WebSocketConfig) -> SwimClientBuilder { - self.config.websocket = to; + self.client_config.websocket = to; self } /// Size of the buffers to communicate with the socket. pub fn set_remote_buffer_size(mut self, to: NonZeroUsize) -> SwimClientBuilder { - self.config.remote_buffer_size = to; + self.client_config.remote_buffer_size = to; self } /// Sets the buffer size between the runtime and transport tasks. pub fn set_transport_buffer_size(mut self, to: NonZeroUsize) -> SwimClientBuilder { - self.config.transport_buffer_size = to; + self.client_config.transport_buffer_size = to; self } /// Sets the deflate extension configuration for WebSocket connections. #[cfg(feature = "deflate")] pub fn set_deflate_config(mut self, to: DeflateConfig) -> SwimClientBuilder { - self.config.websocket.deflate_config = Some(to); + self.client_config.websocket.deflate_config = Some(to); self } + /// Enables TLS support. + pub fn set_tls_config(self, tls_config: TlsConfig) -> SwimClientTlsBuilder { + SwimClientTlsBuilder { + client_config: self.client_config, + tls_config, + crypto_provider: Default::default(), + } + } + /// Builds the client. pub async fn build(self) -> (SwimClient, BoxFuture<'static, ()>) { - let SwimClientBuilder { config } = self; + let SwimClientBuilder { client_config } = self; open_client( - config, + client_config, TokioPlainTextNetworking::new(Arc::new(Resolver::new().await)), ) .await } +} + +pub struct SwimClientTlsBuilder { + client_config: ClientConfig, + tls_config: TlsConfig, + crypto_provider: CryptoProviderConfig, +} + +impl SwimClientTlsBuilder { + /// Uses the process-default [`CryptoProvider`] for any TLS connections. + /// + /// This is only used if the TLS configuration has been set. + pub fn with_default_crypto_provider(mut self) -> Self { + self.crypto_provider = CryptoProviderConfig::ProcessDefault; + self + } + + /// Uses the provided [`CryptoProvider`] for any TLS connections. + /// + /// This is only used if the TLS configuration has been set. + pub fn with_crypto_provider(mut self, provider: Arc) -> Self { + self.crypto_provider = CryptoProviderConfig::Provided(provider); + self + } /// Builds the client using the provided TLS configuration. - #[cfg(feature = "tls")] - pub async fn build_tls( - self, - tls_config: TlsConfig, - ) -> Result<(SwimClient, BoxFuture<'static, ()>), TlsError> { - let SwimClientBuilder { config } = self; + pub async fn build(self) -> Result<(SwimClient, BoxFuture<'static, ()>), TlsError> { + let SwimClientTlsBuilder { + client_config, + tls_config, + crypto_provider, + } = self; Ok(open_client( - config, - RustlsClientNetworking::try_from_config(Arc::new(Resolver::new().await), tls_config)?, + client_config, + RustlsClientNetworking::build( + Arc::new(Resolver::new().await), + tls_config, + crypto_provider.build(), + )?, ) .await) } diff --git a/runtime/swimos_remote/Cargo.toml b/runtime/swimos_remote/Cargo.toml index 6d86dc8c6..2f61417f8 100644 --- a/runtime/swimos_remote/Cargo.toml +++ b/runtime/swimos_remote/Cargo.toml @@ -7,6 +7,8 @@ edition = "2021" [features] default = [] tls = ["rustls", "webpki", "webpki-roots", "tokio-rustls", "rustls-pemfile"] +ring_provider = [] +aws_lc_rs_provider = [] [dependencies] ratchet = { workspace = true, features = ["deflate", "split"] } diff --git a/runtime/swimos_remote/src/tls/config/mod.rs b/runtime/swimos_remote/src/tls/config/mod.rs index d58b68404..533f860df 100644 --- a/runtime/swimos_remote/src/tls/config/mod.rs +++ b/runtime/swimos_remote/src/tls/config/mod.rs @@ -12,9 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -use rustls::crypto::CryptoProvider; -use std::sync::Arc; - /// Supported certificate formats for TLS connections. pub enum CertFormat { Pem, @@ -87,17 +84,14 @@ pub struct ServerConfig { /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled, /// if `SSLKEYLOGFILE` is not set, it will do nothing. pub enable_log_file: bool, - /// [`CryptoProvider`] to use when building the [`rustls::ServerConfig`]. - pub provider: Arc, } impl ServerConfig { - pub fn new(chain: CertChain, key: PrivateKey, provider: Arc) -> Self { + pub fn new(chain: CertChain, key: PrivateKey) -> Self { ServerConfig { chain, key, enable_log_file: false, - provider, } } } @@ -106,15 +100,13 @@ impl ServerConfig { pub struct ClientConfig { pub use_webpki_roots: bool, pub custom_roots: Vec, - pub provider: Arc, } impl ClientConfig { - pub fn new(custom_roots: Vec, provider: Arc) -> Self { + pub fn new(custom_roots: Vec) -> Self { ClientConfig { use_webpki_roots: true, custom_roots, - provider, } } } diff --git a/runtime/swimos_remote/src/tls/mod.rs b/runtime/swimos_remote/src/tls/mod.rs index bdab55daf..5018c5c58 100644 --- a/runtime/swimos_remote/src/tls/mod.rs +++ b/runtime/swimos_remote/src/tls/mod.rs @@ -23,3 +23,40 @@ pub use config::{ pub use errors::TlsError; pub use maybe::MaybeTlsStream; pub use net::{RustlsClientNetworking, RustlsListener, RustlsNetworking, RustlsServerNetworking}; +use rustls::crypto::CryptoProvider; +use std::sync::Arc; + +#[derive(Default)] +pub enum CryptoProviderConfig { + ProcessDefault, + #[default] + FromFeatureFlags, + Provided(Arc), +} + +impl CryptoProviderConfig { + pub fn build(self) -> Arc { + match self { + CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default() + .expect("No default cryptographic provider specified") + .clone(), + CryptoProviderConfig::FromFeatureFlags => { + #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))] + { + return Arc::new(rustls::crypto::ring::default_provider()); + } + + #[cfg(all(feature = "aws_lc_rs_provider", not(feature = "ring_provider")))] + { + return Arc::new(rustls::crypto::aws_lc_rs::default_provider()); + } + + #[allow(unreachable_code)] + { + panic!("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified") + } + } + CryptoProviderConfig::Provided(provider) => provider, + } + } +} diff --git a/runtime/swimos_remote/src/tls/net/client.rs b/runtime/swimos_remote/src/tls/net/client.rs index 8bc9555c6..180541950 100644 --- a/runtime/swimos_remote/src/tls/net/client.rs +++ b/runtime/swimos_remote/src/tls/net/client.rs @@ -15,6 +15,7 @@ use std::{net::SocketAddr, sync::Arc}; use futures::{future::BoxFuture, FutureExt}; +use rustls::crypto::CryptoProvider; use rustls::pki_types::ServerName; use rustls::RootCertStore; @@ -40,14 +41,14 @@ impl RustlsClientNetworking { } } - pub fn try_from_config( + pub fn build( resolver: Arc, config: ClientConfig, + provider: Arc, ) -> Result { let ClientConfig { use_webpki_roots, custom_roots, - provider, } = config; let mut root_store = RootCertStore::empty(); if use_webpki_roots { diff --git a/runtime/swimos_remote/src/tls/net/server.rs b/runtime/swimos_remote/src/tls/net/server.rs index 25905d28b..06a172c68 100644 --- a/runtime/swimos_remote/src/tls/net/server.rs +++ b/runtime/swimos_remote/src/tls/net/server.rs @@ -22,6 +22,7 @@ use futures::{ stream::{unfold, BoxStream, FuturesUnordered}, Future, FutureExt, Stream, StreamExt, TryStreamExt, }; +use rustls::crypto::CryptoProvider; use rustls::pki_types::PrivateKeyDer; use rustls::KeyLogFile; use rustls_pemfile::Item; @@ -64,17 +65,15 @@ impl RustlsServerNetworking { pub fn new(acceptor: TlsAcceptor) -> Self { RustlsServerNetworking { acceptor } } -} - -impl TryFrom for RustlsServerNetworking { - type Error = TlsError; - fn try_from(config: ServerConfig) -> Result { + pub fn build( + config: ServerConfig, + provider: Arc, + ) -> Result { let ServerConfig { chain: CertChain(certs), key, enable_log_file, - provider, } = config; let mut chain = vec![]; diff --git a/runtime/swimos_remote/src/tls/net/tests.rs b/runtime/swimos_remote/src/tls/net/tests.rs index 811745992..ecf47e14c 100644 --- a/runtime/swimos_remote/src/tls/net/tests.rs +++ b/runtime/swimos_remote/src/tls/net/tests.rs @@ -52,7 +52,6 @@ fn make_server_config() -> ServerConfig { chain, key, enable_log_file: false, - provider: Arc::new(aws_lc_rs::default_provider()), } } @@ -62,17 +61,18 @@ fn make_client_config() -> ClientConfig { ClientConfig { use_webpki_roots: true, custom_roots: vec![CertificateFile::der(ca_cert)], - provider: Arc::new(aws_lc_rs::default_provider()), } } #[tokio::test] async fn perform_handshake() { - let server_net = - RustlsServerNetworking::try_from(make_server_config()).expect("Invalid server config."); - let client_net = RustlsClientNetworking::try_from_config( + let crypto_provider = Arc::new(aws_lc_rs::default_provider()); + let server_net = RustlsServerNetworking::build(make_server_config(), crypto_provider.clone()) + .expect("Invalid server config."); + let client_net = RustlsClientNetworking::build( Arc::new(Resolver::new().await), make_client_config(), + crypto_provider, ) .expect("Invalid client config."); diff --git a/server/swimos_server_app/Cargo.toml b/server/swimos_server_app/Cargo.toml index 57cd650a3..24da9d4d7 100644 --- a/server/swimos_server_app/Cargo.toml +++ b/server/swimos_server_app/Cargo.toml @@ -5,9 +5,11 @@ authors = ["Swim Inc. developers info@swim.ai"] edition = "2021" [features] -default = [] +default = ["aws_lc_rs_provider"] rocks_store = ["swimos_rocks_store"] trust_dns = ["swimos_runtime/trust_dns"] +ring_provider = ["swimos_remote/ring_provider"] +aws_lc_rs_provider = ["swimos_remote/aws_lc_rs_provider"] [dependencies] futures = { workspace = true } diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs index f75bcfd9a..1a04ecd36 100644 --- a/server/swimos_server_app/src/server/builder/mod.rs +++ b/server/swimos_server_app/src/server/builder/mod.rs @@ -21,7 +21,8 @@ use ratchet::{ deflate::{DeflateConfig, DeflateExtProvider}, NoExtProvider, WebSocketStream, }; -use rustls::crypto::aws_lc_rs; +use rustls::crypto::CryptoProvider; + use swimos_api::{ agent::Agent, error::StoreError, @@ -49,6 +50,41 @@ use super::{ BoxServer, }; +#[derive(Default)] +enum CryptoProviderConfig { + ProcessDefault, + #[default] + FromFeatureFlags, + Provided(Arc), +} + +impl CryptoProviderConfig { + fn build(self) -> Arc { + match self { + CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default() + .expect("No default cryptographic provider specified") + .clone(), + CryptoProviderConfig::FromFeatureFlags => { + #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))] + { + return Arc::new(rustls::crypto::ring::default_provider()); + } + + #[cfg(all(feature = "aws_lc_rs_provider", not(feature = "ring_provider")))] + { + return Arc::new(rustls::crypto::aws_lc_rs::default_provider()); + } + + #[allow(unreachable_code)] + { + panic!("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified") + } + } + CryptoProviderConfig::Provided(provider) => provider, + } + } +} + /// Builder for a swimos server that will listen on a socket and run a suite of agents. pub struct ServerBuilder { bind_to: SocketAddr, @@ -58,6 +94,7 @@ pub struct ServerBuilder { config: SwimServerConfig, store_options: StoreConfig, introspection: Option, + crypto_provider: CryptoProviderConfig, } #[non_exhaustive] @@ -85,6 +122,7 @@ impl ServerBuilder { config: Default::default(), store_options: Default::default(), introspection: Default::default(), + crypto_provider: CryptoProviderConfig::default(), } } @@ -160,6 +198,18 @@ impl ServerBuilder { self } + /// Uses the process-default [`CryptoProvider`] for any TLS connections. + pub fn with_default_crypto_provider(mut self) -> Self { + self.crypto_provider = CryptoProviderConfig::ProcessDefault; + self + } + + /// Uses the provided [`CryptoProvider`] for any TLS connections. + pub fn with_crypto_provider(mut self, provider: Arc) -> Self { + self.crypto_provider = CryptoProviderConfig::Provided(provider); + self + } + /// Attempt to make a server instance. This will fail if the routes specified for the /// agents are ambiguous. pub async fn build(self) -> Result { @@ -171,6 +221,7 @@ impl ServerBuilder { config, store_options, introspection, + crypto_provider, } = self; let routes = plane.build()?; if introspection.is_some() { @@ -183,16 +234,19 @@ impl ServerBuilder { deflate, introspection, }; + let crypto_provider = crypto_provider.build(); + if let Some(tls_conf) = tls_config { - let client = RustlsClientNetworking::try_from_config(resolver, tls_conf.client)?; - let server = RustlsServerNetworking::try_from(tls_conf.server)?; + let client = + RustlsClientNetworking::build(resolver, tls_conf.client, crypto_provider.clone())?; + let server = RustlsServerNetworking::build(tls_conf.server, crypto_provider)?; let networking = RustlsNetworking::new_tls(client, server); Ok(with_store(bind_to, routes, networking, config)?) } else { - let provider = Arc::new(aws_lc_rs::default_provider()); - let client = RustlsClientNetworking::try_from_config( + let client = RustlsClientNetworking::build( resolver.clone(), - ClientConfig::new(Default::default(), provider), + ClientConfig::new(Default::default()), + crypto_provider, )?; let server = TokioPlainTextNetworking::new(resolver); let networking = RustlsNetworking::new_plain_text(client, server); diff --git a/swimos/Cargo.toml b/swimos/Cargo.toml index bae39e33d..ea610f3d7 100644 --- a/swimos/Cargo.toml +++ b/swimos/Cargo.toml @@ -5,11 +5,13 @@ authors = ["Swim Inc. developers info@swim.ai"] edition = "2021" [features] -default = ["agent"] +default = ["agent", "aws_lc_rs_provider"] all = ["server", "agent", "json"] server = ["dep:swimos_server_app"] agent = ["dep:swimos_agent", "dep:swimos_agent_derive"] json = ["agent", "swimos_agent/json"] +ring_provider = ["swimos_server_app/ring_provider"] +aws_lc_rs_provider = ["swimos_server_app/aws_lc_rs_provider"] [dependencies] swimos_utilities = { path = "../swimos_utilities", features = ["io", "text"] } From 93d6b94eca154628262f26eca4586b81c7723ebb Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 11:25:12 +0100 Subject: [PATCH 3/7] Removes incorrect comment --- client/swimos_client/src/lib.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/client/swimos_client/src/lib.rs b/client/swimos_client/src/lib.rs index fa5fe1c36..b0d3d79a8 100644 --- a/client/swimos_client/src/lib.rs +++ b/client/swimos_client/src/lib.rs @@ -123,8 +123,6 @@ impl SwimClientTlsBuilder { } /// Uses the provided [`CryptoProvider`] for any TLS connections. - /// - /// This is only used if the TLS configuration has been set. pub fn with_crypto_provider(mut self, provider: Arc) -> Self { self.crypto_provider = CryptoProviderConfig::Provided(provider); self From 3d66798244da23399a3011a5a0ab8ac5e81b5dd4 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 11:26:27 +0100 Subject: [PATCH 4/7] Removes duplicate crypto provider config --- .../src/server/builder/mod.rs | 38 +------------------ 1 file changed, 2 insertions(+), 36 deletions(-) diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs index 1a04ecd36..34fa515ce 100644 --- a/server/swimos_server_app/src/server/builder/mod.rs +++ b/server/swimos_server_app/src/server/builder/mod.rs @@ -31,7 +31,8 @@ use swimos_api::{ use swimos_remote::dns::Resolver; use swimos_remote::plain::TokioPlainTextNetworking; use swimos_remote::tls::{ - ClientConfig, RustlsClientNetworking, RustlsNetworking, RustlsServerNetworking, TlsConfig, + ClientConfig, CryptoProviderConfig, RustlsClientNetworking, RustlsNetworking, + RustlsServerNetworking, TlsConfig, }; use swimos_remote::ExternalConnections; use swimos_utilities::routing::RoutePattern; @@ -50,41 +51,6 @@ use super::{ BoxServer, }; -#[derive(Default)] -enum CryptoProviderConfig { - ProcessDefault, - #[default] - FromFeatureFlags, - Provided(Arc), -} - -impl CryptoProviderConfig { - fn build(self) -> Arc { - match self { - CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default() - .expect("No default cryptographic provider specified") - .clone(), - CryptoProviderConfig::FromFeatureFlags => { - #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))] - { - return Arc::new(rustls::crypto::ring::default_provider()); - } - - #[cfg(all(feature = "aws_lc_rs_provider", not(feature = "ring_provider")))] - { - return Arc::new(rustls::crypto::aws_lc_rs::default_provider()); - } - - #[allow(unreachable_code)] - { - panic!("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified") - } - } - CryptoProviderConfig::Provided(provider) => provider, - } - } -} - /// Builder for a swimos server that will listen on a socket and run a suite of agents. pub struct ServerBuilder { bind_to: SocketAddr, From 41624be5c42004b49e3c7e2c0159bcffd4550ae3 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 14:54:23 +0100 Subject: [PATCH 5/7] Changes crypto provider configuration build failure to return an error instead of panic --- client/swimos_client/src/lib.rs | 2 +- runtime/swimos_remote/src/tls/errors.rs | 2 ++ runtime/swimos_remote/src/tls/mod.rs | 14 +++++++++----- server/swimos_server_app/src/server/builder/mod.rs | 2 +- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/client/swimos_client/src/lib.rs b/client/swimos_client/src/lib.rs index b0d3d79a8..bc78cbdde 100644 --- a/client/swimos_client/src/lib.rs +++ b/client/swimos_client/src/lib.rs @@ -140,7 +140,7 @@ impl SwimClientTlsBuilder { RustlsClientNetworking::build( Arc::new(Resolver::new().await), tls_config, - crypto_provider.build(), + crypto_provider.try_build()?, )?, ) .await) diff --git a/runtime/swimos_remote/src/tls/errors.rs b/runtime/swimos_remote/src/tls/errors.rs index 03d12ae0a..a8e3b20a4 100644 --- a/runtime/swimos_remote/src/tls/errors.rs +++ b/runtime/swimos_remote/src/tls/errors.rs @@ -32,4 +32,6 @@ pub enum TlsError { /// Performing the TLS handshake failed. #[error("TLS handshake failed: {0}")] HandshakeFailed(std::io::Error), + #[error("Invalid cryptographic provider configured: {0}")] + InvalidCryptoProvider(String), } diff --git a/runtime/swimos_remote/src/tls/mod.rs b/runtime/swimos_remote/src/tls/mod.rs index 5018c5c58..14030ca87 100644 --- a/runtime/swimos_remote/src/tls/mod.rs +++ b/runtime/swimos_remote/src/tls/mod.rs @@ -35,11 +35,15 @@ pub enum CryptoProviderConfig { } impl CryptoProviderConfig { - pub fn build(self) -> Arc { + pub fn try_build(self) -> Result, TlsError> { match self { CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default() - .expect("No default cryptographic provider specified") - .clone(), + .ok_or_else(|| { + TlsError::InvalidCryptoProvider( + "No default cryptographic provider specified".to_string(), + ) + }) + .cloned(), CryptoProviderConfig::FromFeatureFlags => { #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))] { @@ -53,10 +57,10 @@ impl CryptoProviderConfig { #[allow(unreachable_code)] { - panic!("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified") + Err(TlsError::InvalidCryptoProvider("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified".to_string())) } } - CryptoProviderConfig::Provided(provider) => provider, + CryptoProviderConfig::Provided(provider) => Ok(provider), } } } diff --git a/server/swimos_server_app/src/server/builder/mod.rs b/server/swimos_server_app/src/server/builder/mod.rs index 34fa515ce..cbf9b3da9 100644 --- a/server/swimos_server_app/src/server/builder/mod.rs +++ b/server/swimos_server_app/src/server/builder/mod.rs @@ -200,7 +200,7 @@ impl ServerBuilder { deflate, introspection, }; - let crypto_provider = crypto_provider.build(); + let crypto_provider = crypto_provider.try_build()?; if let Some(tls_conf) = tls_config { let client = From 85cc0e5904fbc2ea30435b4760b98f898c2b3517 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 15:23:41 +0100 Subject: [PATCH 6/7] Tidies up cryptographic provider error messaging --- runtime/swimos_remote/src/tls/errors.rs | 8 ++++++-- runtime/swimos_remote/src/tls/mod.rs | 8 ++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/runtime/swimos_remote/src/tls/errors.rs b/runtime/swimos_remote/src/tls/errors.rs index a8e3b20a4..8de8f33ee 100644 --- a/runtime/swimos_remote/src/tls/errors.rs +++ b/runtime/swimos_remote/src/tls/errors.rs @@ -32,6 +32,10 @@ pub enum TlsError { /// Performing the TLS handshake failed. #[error("TLS handshake failed: {0}")] HandshakeFailed(std::io::Error), - #[error("Invalid cryptographic provider configured: {0}")] - InvalidCryptoProvider(String), + /// User specified that a cryptographic provider had been installed but none was found. + #[error("No default cryptographic provider has been installed")] + NoCryptoProviderInstalled, + /// User specified more than one cryptographic provider feature flag. Only one may be specified. + #[error("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified")] + InvalidCryptoProvider, } diff --git a/runtime/swimos_remote/src/tls/mod.rs b/runtime/swimos_remote/src/tls/mod.rs index 14030ca87..c3d0064bc 100644 --- a/runtime/swimos_remote/src/tls/mod.rs +++ b/runtime/swimos_remote/src/tls/mod.rs @@ -38,11 +38,7 @@ impl CryptoProviderConfig { pub fn try_build(self) -> Result, TlsError> { match self { CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default() - .ok_or_else(|| { - TlsError::InvalidCryptoProvider( - "No default cryptographic provider specified".to_string(), - ) - }) + .ok_or(TlsError::NoCryptoProviderInstalled) .cloned(), CryptoProviderConfig::FromFeatureFlags => { #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))] @@ -57,7 +53,7 @@ impl CryptoProviderConfig { #[allow(unreachable_code)] { - Err(TlsError::InvalidCryptoProvider("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified".to_string())) + Err(TlsError::InvalidCryptoProvider) } } CryptoProviderConfig::Provided(provider) => Ok(provider), From ae29730e35c408feeb25174b4ed25d57cbf79840 Mon Sep 17 00:00:00 2001 From: SirCipher Date: Wed, 26 Jun 2024 15:27:41 +0100 Subject: [PATCH 7/7] Adds missing default client crypto provider feature flag --- client/swimos_client/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/swimos_client/Cargo.toml b/client/swimos_client/Cargo.toml index 9053e2e6d..f5d479216 100644 --- a/client/swimos_client/Cargo.toml +++ b/client/swimos_client/Cargo.toml @@ -4,7 +4,7 @@ version = "0.1.0" edition = "2021" [features] -default = [] +default = ["aws_lc_rs_provider"] deflate = ["runtime/deflate"] trust_dns = ["swimos_runtime/trust_dns"] ring_provider = ["swimos_remote/ring_provider"]