tuftool: install default CryptoProvider for HTTP client

when building the tuftool HTTP client, install the aws_lc_rs default CryptoProvider if none is set yet. This is to ensure that a CryptoProvider for rustls is set before proceeded with HTTP methods. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
awslabs · Sep 27, 2024 · 6c6fac5 · 6c6fac5
1 parent d823d4e
commit 6c6fac5
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/tough/src/http.rs b/tough/src/http.rs
@@ -11,6 +11,7 @@ use log::trace;
 use reqwest::header::{self, HeaderValue, ACCEPT_RANGES};
 use reqwest::{Client, ClientBuilder, Request, Response};
 use reqwest::{Error, Method};
+use rustls::crypto::{aws_lc_rs, CryptoProvider};
 use snafu::ResultExt;
 use snafu::Snafu;
 use std::cmp::Ordering;
@@ -322,7 +323,15 @@ impl RetryStream {
         &mut self,
         cx: &mut std::task::Context<'_>,
     ) -> Result<Poll<Option<Result<bytes::Bytes, TransportError>>>, HttpError> {
-        // create a reqwest client
+        // Set the aws_lc_rs CryptoProvider for rustls. This is to ensure that the reqwest client
+        // is using a FIPS enabled aws_lc_rs when creating a client. Otherwise, ring is used:
+        // https://github.com/seanmonstar/reqwest/blob/d85f44b217f36f8bef065fe95877eab98c52c2e5/src/async_impl/client.rs#L577-L587
+        // This can be called successfully at most once in any process execution: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html#method.install_default
+        // The return type is Result<(), Arc<Self>>, which can be dropped.
+        if CryptoProvider::get_default().is_none() {
+            let _ = aws_lc_rs::default_provider().install_default();
+        }
+
         let client = ClientBuilder::new()
             .timeout(self.settings.timeout)
             .connect_timeout(self.settings.connect_timeout)