From 898a0def2fb1d9166e8513966d0d173ce9659ec4 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Thu, 26 Sep 2024 23:12:09 +0000 Subject: [PATCH] tuftool: install default CryptoProvider for HTTP client when building the tuftool HTTP client, install the aws_lc_rs default CryptoProvider if none is set yet. This is to ensure that a CryptoProvider for rustls is set before proceeded with HTTP methods. Signed-off-by: Gavin Inglis --- tough/src/http.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tough/src/http.rs b/tough/src/http.rs index 4fbf2fa07..d502de1ae 100644 --- a/tough/src/http.rs +++ b/tough/src/http.rs @@ -11,6 +11,7 @@ use log::trace; use reqwest::header::{self, HeaderValue, ACCEPT_RANGES}; use reqwest::{Client, ClientBuilder, Request, Response}; use reqwest::{Error, Method}; +use rustls::crypto::{aws_lc_rs, CryptoProvider}; use snafu::ResultExt; use snafu::Snafu; use std::cmp::Ordering; @@ -322,7 +323,15 @@ impl RetryStream { &mut self, cx: &mut std::task::Context<'_>, ) -> Result>>, HttpError> { - // create a reqwest client + // Set the aws_lc_rs CryptoProvider for rustls. This is to ensure that the reqwest client + // is using a FIPS enabled aws_lc_rs when creating a client. Otherwise, ring is used: + // https://github.com/seanmonstar/reqwest/blob/d85f44b217f36f8bef065fe95877eab98c52c2e5/src/async_impl/client.rs#L577-L587 + // This can be called successfully at most once in any process execution: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html#method.install_default + // The return type is Result<(), Arc>, which can be dropped. + if CryptoProvider::get_default().is_none() { + let _ = aws_lc_rs::default_provider().install_default(); + } + let client = ClientBuilder::new() .timeout(self.settings.timeout) .connect_timeout(self.settings.connect_timeout)