magnetar-runtime-moonpool 1.0.1

moonpool runtime engine for magnetar — deterministic-sim friendly. Custom rustls-over-bytepipe TLS adapter. No channels.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

// SPDX-License-Identifier: Apache-2.0

//! Pluggable rustls crypto provider shim — moonpool engine variant
//! (issue #9, ADR-0035).
//!
//! Mirrors `magnetar-runtime-tokio::tls_crypto` exactly. The moonpool
//! engine drives [`rustls::ClientConnection`] over a byte pipe directly
//! (ADR-0006); it pulls in `rustls` (and optionally `rustls-openssl`)
//! but never `tokio-rustls`.
//!
//! See the tokio sibling for the rationale around the cfg cascade.

use std::sync::Arc;
#[cfg(any(
    feature = "crypto-aws-lc-rs",
    feature = "crypto-ring",
    feature = "crypto-openssl",
    feature = "crypto-fips",
))]
use std::sync::Once;

use rustls::crypto::CryptoProvider;

#[cfg(not(any(
    feature = "crypto-aws-lc-rs",
    feature = "crypto-ring",
    feature = "crypto-openssl",
    feature = "crypto-fips",
)))]
compile_error!(
    "magnetar: enable at least one of crypto-{aws-lc-rs,ring,openssl,fips} \
     on the magnetar / magnetar-runtime-moonpool crate"
);

/// Install the configured rustls crypto provider as the process-global
/// default. Idempotent.
#[cfg(feature = "crypto-aws-lc-rs")]
pub fn install_default_provider() {
    static ONCE: Once = Once::new();
    ONCE.call_once(|| {
        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
    });
}

#[cfg(all(not(feature = "crypto-aws-lc-rs"), feature = "crypto-fips"))]
pub fn install_default_provider() {
    static ONCE: Once = Once::new();
    ONCE.call_once(|| {
        let _ = rustls::crypto::default_fips_provider().install_default();
    });
}

#[cfg(all(
    not(any(feature = "crypto-aws-lc-rs", feature = "crypto-fips")),
    feature = "crypto-openssl"
))]
pub fn install_default_provider() {
    static ONCE: Once = Once::new();
    ONCE.call_once(|| {
        let _ = rustls_openssl::default_provider().install_default();
    });
}

#[cfg(all(
    not(any(
        feature = "crypto-aws-lc-rs",
        feature = "crypto-fips",
        feature = "crypto-openssl"
    )),
    feature = "crypto-ring"
))]
pub fn install_default_provider() {
    static ONCE: Once = Once::new();
    ONCE.call_once(|| {
        let _ = rustls::crypto::ring::default_provider().install_default();
    });
}

/// Return the active rustls [`CryptoProvider`] as an `Arc`, installing
/// it first if no default is set.
///
/// # Panics
///
/// Only panics if [`install_default_provider`] failed to populate the
/// process-global default, which would indicate a rustls bug.
#[must_use]
pub fn active_provider() -> Arc<CryptoProvider> {
    install_default_provider();
    CryptoProvider::get_default()
        .cloned()
        .expect("install_default_provider() must populate the global rustls CryptoProvider")
}

#[cfg(test)]
mod tests {
    use super::{active_provider, install_default_provider};

    #[test]
    fn install_default_provider_is_idempotent() {
        install_default_provider();
        install_default_provider();
        install_default_provider();
    }

    #[test]
    fn active_provider_returns_a_valid_provider() {
        let provider = active_provider();
        assert!(
            !provider.cipher_suites.is_empty(),
            "active rustls provider must expose at least one cipher suite"
        );
    }
}