Merge branch 'main' of https://github.com/swimos/swim-rust into no_publish

# Conflicts:
#	client/swimos_client/Cargo.toml
#	server/swimos_server_app/Cargo.toml
#	swimos_client/src/lib.rs

Author: SirCipher

client/swimos_client/Cargo.toml

@@ -7,6 +7,8 @@ edition = "2021"
 [features]
 default = []
 tls = ["rustls", "webpki", "webpki-roots", "tokio-rustls", "rustls-pemfile"]
+ring_provider = []
+aws_lc_rs_provider = []
 
 [dependencies]
 ratchet = { workspace = true, features = ["deflate", "split"] }

runtime/swimos_remote/Cargo.toml

@@ -12,9 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use rustls::crypto::CryptoProvider;
-use std::sync::Arc;
-
 /// Supported certificate formats for TLS connections.
 pub enum CertFormat {
     Pem,
@@ -87,18 +84,14 @@ pub struct ServerConfig {
     /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled,
     /// if `SSLKEYLOGFILE` is not set, it will do nothing.
     pub enable_log_file: bool,
-    /// Process-wide [`CryptoProvider`] that must already have been installed as the default
-    /// provider.
-    pub provider: Arc<CryptoProvider>,
 }
 
 impl ServerConfig {
-    pub fn new(chain: CertChain, key: PrivateKey, provider: Arc<CryptoProvider>) -> Self {
+    pub fn new(chain: CertChain, key: PrivateKey) -> Self {
         ServerConfig {
             chain,
             key,
             enable_log_file: false,
-            provider,
         }
     }
 }
@@ -117,12 +110,3 @@ impl ClientConfig {
         }
     }
 }
-
-impl Default for ClientConfig {
-    fn default() -> Self {
-        Self {
-            use_webpki_roots: true,
-            custom_roots: vec![],
-        }
-    }
-}

runtime/swimos_remote/src/tls/config/mod.rs

@@ -32,4 +32,10 @@ pub enum TlsError {
     /// Performing the TLS handshake failed.
     #[error("TLS handshake failed: {0}")]
     HandshakeFailed(std::io::Error),
+    /// User specified that a cryptographic provider had been installed but none was found.
+    #[error("No default cryptographic provider has been installed")]
+    NoCryptoProviderInstalled,
+    /// User specified more than one cryptographic provider feature flag. Only one may be specified.
+    #[error("Ambiguous cryptographic provider feature flags specified. Only \"ring_provider\" or \"aws_lc_rs_provider\" may be specified")]
+    InvalidCryptoProvider,
 }

runtime/swimos_remote/src/tls/errors.rs

@@ -23,3 +23,40 @@ pub use config::{
 pub use errors::TlsError;
 pub use maybe::MaybeTlsStream;
 pub use net::{RustlsClientNetworking, RustlsListener, RustlsNetworking, RustlsServerNetworking};
+use rustls::crypto::CryptoProvider;
+use std::sync::Arc;
+
+#[derive(Default)]
+pub enum CryptoProviderConfig {
+    ProcessDefault,
+    #[default]
+    FromFeatureFlags,
+    Provided(Arc<CryptoProvider>),
+}
+
+impl CryptoProviderConfig {
+    pub fn try_build(self) -> Result<Arc<CryptoProvider>, TlsError> {
+        match self {
+            CryptoProviderConfig::ProcessDefault => CryptoProvider::get_default()
+                .ok_or(TlsError::NoCryptoProviderInstalled)
+                .cloned(),
+            CryptoProviderConfig::FromFeatureFlags => {
+                #[cfg(all(feature = "ring_provider", not(feature = "aws_lc_rs_provider")))]
+                {
+                    return Arc::new(rustls::crypto::ring::default_provider());
+                }
+
+                #[cfg(all(feature = "aws_lc_rs_provider", not(feature = "ring_provider")))]
+                {
+                    return Arc::new(rustls::crypto::aws_lc_rs::default_provider());
+                }
+
+                #[allow(unreachable_code)]
+                {
+                    Err(TlsError::InvalidCryptoProvider)
+                }
+            }
+            CryptoProviderConfig::Provided(provider) => Ok(provider),
+        }
+    }
+}

runtime/swimos_remote/src/tls/mod.rs

@@ -15,6 +15,7 @@
 use std::{net::SocketAddr, sync::Arc};
 
 use futures::{future::BoxFuture, FutureExt};
+use rustls::crypto::CryptoProvider;
 use rustls::pki_types::ServerName;
 use rustls::RootCertStore;
 
@@ -40,9 +41,10 @@ impl RustlsClientNetworking {
         }
     }
 
-    pub fn try_from_config(
+    pub fn build(
         resolver: Arc<Resolver>,
         config: ClientConfig,
+        provider: Arc<CryptoProvider>,
     ) -> Result<Self, TlsError> {
         let ClientConfig {
             use_webpki_roots,
@@ -59,7 +61,8 @@ impl RustlsClientNetworking {
             }
         }
 
-        let config = rustls::ClientConfig::builder()
+        let config = rustls::ClientConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()?
             .with_root_certificates(root_store)
             .with_no_client_auth();
 

runtime/swimos_remote/src/tls/net/client.rs

@@ -22,6 +22,7 @@ use futures::{
     stream::{unfold, BoxStream, FuturesUnordered},
     Future, FutureExt, Stream, StreamExt, TryStreamExt,
 };
+use rustls::crypto::CryptoProvider;
 use rustls::pki_types::PrivateKeyDer;
 use rustls::KeyLogFile;
 use rustls_pemfile::Item;
@@ -64,17 +65,15 @@ impl RustlsServerNetworking {
     pub fn new(acceptor: TlsAcceptor) -> Self {
         RustlsServerNetworking { acceptor }
     }
-}
-
-impl TryFrom<ServerConfig> for RustlsServerNetworking {
-    type Error = TlsError;
 
-    fn try_from(config: ServerConfig) -> Result<Self, Self::Error> {
+    pub fn build(
+        config: ServerConfig,
+        provider: Arc<CryptoProvider>,
+    ) -> Result<RustlsServerNetworking, TlsError> {
         let ServerConfig {
             chain: CertChain(certs),
             key,
             enable_log_file,
-            provider,
         } = config;
 
         let mut chain = vec![];

runtime/swimos_remote/src/tls/net/server.rs

@@ -17,6 +17,7 @@ use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration};
 use crate::dns::Resolver;
 use crate::net::{ClientConnections, ConnectionError, Listener, ListenerError, Scheme};
 use futures::{future::join, StreamExt};
+use rustls::crypto::aws_lc_rs;
 
 use crate::tls::{
     CertChain, CertificateFile, ClientConfig, PrivateKey, RustlsClientNetworking,
@@ -46,18 +47,11 @@ fn make_server_config() -> ServerConfig {
         CertificateFile::der(ca_cert),
     ]);
 
-    let provider = rustls::crypto::aws_lc_rs::default_provider();
-    provider
-        .clone()
-        .install_default()
-        .expect("Crypto Provider has already been initialised elsewhere.");
-
     let key = PrivateKey::der(server_key);
     ServerConfig {
         chain,
         key,
         enable_log_file: false,
-        provider: Arc::new(provider),
     }
 }
 
@@ -72,11 +66,13 @@ fn make_client_config() -> ClientConfig {
 
 #[tokio::test]
 async fn perform_handshake() {
-    let server_net =
-        RustlsServerNetworking::try_from(make_server_config()).expect("Invalid server config.");
-    let client_net = RustlsClientNetworking::try_from_config(
+    let crypto_provider = Arc::new(aws_lc_rs::default_provider());
+    let server_net = RustlsServerNetworking::build(make_server_config(), crypto_provider.clone())
+        .expect("Invalid server config.");
+    let client_net = RustlsClientNetworking::build(
         Arc::new(Resolver::new().await),
         make_client_config(),
+        crypto_provider,
     )
     .expect("Invalid client config.");
 

runtime/swimos_remote/src/tls/net/tests.rs

@@ -5,10 +5,12 @@ authors = ["Swim Inc. developers info@swim.ai"]
 edition = "2021"
 
 [features]
-default = ["signal"]
+default = ["aws_lc_rs_provider", "signal"]
 rocks_store = ["swimos_rocks_store"]
 trust_dns = ["swimos_runtime/trust_dns"]
 signal = ["tokio/signal"]
+ring_provider = ["swimos_remote/ring_provider"]
+aws_lc_rs_provider = ["swimos_remote/aws_lc_rs_provider"]
 
 [dependencies]
 futures = { workspace = true }
@@ -36,6 +38,7 @@ parking_lot = { workspace = true }
 hyper = { workspace = true, features = ["server", "runtime", "tcp", "http1", "backports"] }
 pin-project = { workspace = true }
 percent-encoding = { workspace = true }
+rustls = { workspace = true }
 
 [dev-dependencies]
 swimos_recon = { path = "../../api/formats/swimos_recon" }

server/swimos_server_app/Cargo.toml

@@ -21,6 +21,8 @@ use ratchet::{
     deflate::{DeflateConfig, DeflateExtProvider},
     NoExtProvider, WebSocketStream,
 };
+use rustls::crypto::CryptoProvider;
+
 use swimos_api::{
     agent::Agent,
     error::StoreError,
@@ -29,7 +31,8 @@ use swimos_api::{
 use swimos_remote::dns::Resolver;
 use swimos_remote::plain::TokioPlainTextNetworking;
 use swimos_remote::tls::{
-    ClientConfig, RustlsClientNetworking, RustlsNetworking, RustlsServerNetworking, TlsConfig,
+    ClientConfig, CryptoProviderConfig, RustlsClientNetworking, RustlsNetworking,
+    RustlsServerNetworking, TlsConfig,
 };
 use swimos_remote::ExternalConnections;
 use swimos_utilities::routing::RoutePattern;
@@ -57,6 +60,7 @@ pub struct ServerBuilder {
     config: SwimServerConfig,
     store_options: StoreConfig,
     introspection: Option<IntrospectionConfig>,
+    crypto_provider: CryptoProviderConfig,
 }
 
 #[non_exhaustive]
@@ -84,6 +88,7 @@ impl ServerBuilder {
             config: Default::default(),
             store_options: Default::default(),
             introspection: Default::default(),
+            crypto_provider: CryptoProviderConfig::default(),
         }
     }
 
@@ -159,6 +164,18 @@ impl ServerBuilder {
         self
     }
 
+    /// Uses the process-default [`CryptoProvider`] for any TLS connections.
+    pub fn with_default_crypto_provider(mut self) -> Self {
+        self.crypto_provider = CryptoProviderConfig::ProcessDefault;
+        self
+    }
+
+    /// Uses the provided [`CryptoProvider`] for any TLS connections.
+    pub fn with_crypto_provider(mut self, provider: Arc<CryptoProvider>) -> Self {
+        self.crypto_provider = CryptoProviderConfig::Provided(provider);
+        self
+    }
+
     /// Attempt to make a server instance. This will fail if the routes specified for the
     /// agents are ambiguous.
     pub async fn build(self) -> Result<BoxServer, ServerBuilderError> {
@@ -170,6 +187,7 @@ impl ServerBuilder {
             config,
             store_options,
             introspection,
+            crypto_provider,
         } = self;
         let routes = plane.build()?;
         if introspection.is_some() {
@@ -182,14 +200,20 @@ impl ServerBuilder {
             deflate,
             introspection,
         };
+        let crypto_provider = crypto_provider.try_build()?;
+
         if let Some(tls_conf) = tls_config {
-            let client = RustlsClientNetworking::try_from_config(resolver, tls_conf.client)?;
-            let server = RustlsServerNetworking::try_from(tls_conf.server)?;
+            let client =
+                RustlsClientNetworking::build(resolver, tls_conf.client, crypto_provider.clone())?;
+            let server = RustlsServerNetworking::build(tls_conf.server, crypto_provider)?;
             let networking = RustlsNetworking::new_tls(client, server);
             Ok(with_store(bind_to, routes, networking, config)?)
         } else {
-            let client =
-                RustlsClientNetworking::try_from_config(resolver.clone(), ClientConfig::default())?;
+            let client = RustlsClientNetworking::build(
+                resolver.clone(),
+                ClientConfig::new(Default::default()),
+                crypto_provider,
+            )?;
             let server = TokioPlainTextNetworking::new(resolver);
             let networking = RustlsNetworking::new_plain_text(client, server);
             Ok(with_store(bind_to, routes, networking, config)?)