From 0531156b9eaa6e8d326c827fb0e2f2357c9c8733 Mon Sep 17 00:00:00 2001 From: Nadja Reitzenstein Date: Wed, 9 Mar 2022 02:40:38 +0100 Subject: [PATCH] Improve TLS support --- Cargo.lock | 68 ++++++++++++++++++++++++++++++++++------------- Cargo.toml | 4 +-- src/connection.rs | 3 +-- src/server.rs | 27 ++++++++++++------- 4 files changed, 70 insertions(+), 32 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 17a5241..3a48440 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -164,17 +164,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "async-rustls" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c86f33abd5a4f3e2d6d9251a9e0c6a7e52eb1113caf893dae8429bf4a53f378" -dependencies = [ - "futures-lite", - "rustls", - "webpki", -] - [[package]] name = "async-task" version = "4.1.0" @@ -489,7 +478,6 @@ version = "0.3.2" dependencies = [ "async-channel", "async-compat", - "async-rustls", "async-trait", "bincode", "capnp", @@ -500,6 +488,7 @@ dependencies = [ "easy-parallel", "flexbuffers", "futures 0.3.21", + "futures-rustls", "futures-signals", "futures-test", "futures-util", @@ -511,7 +500,7 @@ dependencies = [ "rsasl", "rumqttc", "rust-argon2", - "rustls", + "rustls 0.20.4", "rustls-pemfile", "serde", "serde_dhall", @@ -743,6 +732,17 @@ dependencies = [ "syn", ] +[[package]] +name = "futures-rustls" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d383f0425d991a05e564c2f3ec150bd6dde863179c131dd60d8aa73a05434461" +dependencies = [ + "futures-io", + "rustls 0.20.4", + "webpki 0.22.0", +] + [[package]] name = "futures-signals" version = "0.3.24" @@ -1515,7 +1515,7 @@ dependencies = [ "tokio", "tokio-rustls", "url", - "webpki", + "webpki 0.21.4", ] [[package]] @@ -1539,8 +1539,20 @@ dependencies = [ "base64", "log", "ring", - "sct", - "webpki", + "sct 0.6.1", + "webpki 0.21.4", +] + +[[package]] +name = "rustls" +version = "0.20.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921" +dependencies = [ + "log", + "ring", + "sct 0.7.0", + "webpki 0.22.0", ] [[package]] @@ -1583,6 +1595,16 @@ dependencies = [ "untrusted", ] +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "serde" version = "1.0.136" @@ -1966,9 +1988,9 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" dependencies = [ - "rustls", + "rustls 0.19.1", "tokio", - "webpki", + "webpki 0.21.4", ] [[package]] @@ -2162,6 +2184,16 @@ dependencies = [ "untrusted", ] +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "wepoll-ffi" version = "0.1.2" diff --git a/Cargo.toml b/Cargo.toml index 4a5223c..535308b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -71,9 +71,9 @@ easy-parallel = "3.1.0" genawaiter = "0.99.1" # TLS -rustls = "0.19" +rustls = "0.20" rustls-pemfile = "0.2" -async-rustls = "0.2" +futures-rustls = "0.22.0" [build-dependencies] capnpc = "0.14.4" diff --git a/src/connection.rs b/src/connection.rs index 769c94a..239d37b 100644 --- a/src/connection.rs +++ b/src/connection.rs @@ -7,8 +7,6 @@ use std::future::Future; use std::sync::Arc; -use async_rustls::server::TlsStream; - use slog::Logger; @@ -17,6 +15,7 @@ use crate::api::Bootstrap; use crate::error::Result; use capnp_rpc::{rpc_twoparty_capnp, twoparty}; +use futures_rustls::server::TlsStream; use smol::io::split; diff --git a/src/server.rs b/src/server.rs index 4f24991..3747166 100644 --- a/src/server.rs +++ b/src/server.rs @@ -20,8 +20,8 @@ use std::sync::Arc; use std::os::unix::io::AsRawFd; use std::path::Path; -use async_rustls::TlsAcceptor; -use rustls::{Certificate, KeyLogFile, NoClientAuth, PrivateKey, ServerConfig}; +use futures_rustls::TlsAcceptor; +use rustls::{Certificate, KeyLogFile, PrivateKey, ServerConfig}; use signal_hook::low_level::pipe as sigpipe; @@ -60,23 +60,30 @@ pub fn serve_api_connections(log: Arc, config: Config, db: Databases, nw .collect(); info!(log, "Reading private key file"); let mut keyfp = BufReader::new(File::open(&config.keyfile)?); - let mut tls_config = ServerConfig::new(Arc::new(NoClientAuth)); - tls_config.key_log = Arc::new(KeyLogFile::new()); - if let Some(path) = std::env::var_os("SSLKEYLOGFILE") { - let path = Path::new(&path); - warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!", - path.display()); - } + let mut tls_builder = ServerConfig::builder() + .with_safe_defaults() + .with_no_client_auth() + ; + + let mut tls_config; match rustls_pemfile::read_one(&mut keyfp)? { Some(rustls_pemfile::Item::PKCS8Key(key) | rustls_pemfile::Item::RSAKey(key)) => { let key = PrivateKey(key); - tls_config.set_single_cert(certs, key)?; + tls_config = tls_builder.with_single_cert(certs, key)?; } _ => { error!(log, "private key file must contain a PEM-encoded private key"); return Ok(()); } } + + if let Some(path) = std::env::var_os("SSLKEYLOGFILE") { + let path = Path::new(&path); + warn!(log, "TLS SECRET LOGGING ENABLED! This will write all connection secrets to file {}!", + path.display()); + } + tls_config.key_log = Arc::new(KeyLogFile::new()); + let tls_acceptor: TlsAcceptor = Arc::new(tls_config).into(); // Bind to each address in config.listens.