switch to rustls

2025-05-12 22:10:01 -04:00 · 2024-09-16 13:13:45 -07:00 · 2024-09-16 13:13:45 -07:00 · d6f1a8da43
commit d6f1a8da43
parent ee0ad89f3e
3 changed files with 41 additions and 172 deletions
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@ -25,6 +25,7 @@ log = { version = "0.4.22", features = ["serde", "std"] }
 nix = { version = "0.29.0", features = ["term"] }
 pty-process = { version = "0.4.0", features = ["async", "tokio"], optional = true }
 regex = "1.10.6"
+rustls-pemfile = "2.1.3"
 serde = { version = "1.0.208", features = ["derive"] }
 serde_json = { version = "1.0.125", optional = true }
 serde_yaml = { version = "0.9.34", optional = true }
@ -33,7 +34,7 @@ shell-words = { version = "1.1.0", optional = true }
 tikv-jemalloc-ctl = { version = "0.6.0", features = ["stats", "use_std"] }
 tikv-jemallocator = "0.6.0"
 tokio = { version = "1.39.3", features = ["full"] }
-tokio-native-tls = "0.3.1"
+tokio-rustls = { version = "0.26.0", features = ["ring", "tls12"], default-features = false }
 tokio-util = { version = "0.7.11", features = ["codec", "compat", "io-util", "net"] }
 toml = { version = "0.8.19", optional = true }
 uuid = { version = "1.10.0", features = ["v4"] }
--- a/server/src/listener.rs
+++ b/server/src/listener.rs
@ -1,15 +1,19 @@
-use std::{os::fd::AsFd, path::PathBuf, pin::Pin};
+use std::{
+	io::{BufReader, Cursor},
+	os::fd::AsFd,
+	path::PathBuf,
+	pin::Pin,
+	sync::Arc,
+};

 use anyhow::Context;
+use rustls_pemfile::{certs, private_key};
 use tokio::{
 	fs::{remove_file, try_exists, File},
 	io::{AsyncBufRead, AsyncRead, AsyncWrite, ReadHalf, WriteHalf},
 	net::{tcp, unix, TcpListener, TcpStream, UnixListener, UnixStream},
 };
-use tokio_native_tls::{
-	native_tls::{self, Identity},
-	TlsAcceptor, TlsStream,
-};
+use tokio_rustls::{rustls, server::TlsStream, TlsAcceptor};
 use uuid::Uuid;

 use crate::{config::SocketType, CONFIG};
@ -299,17 +303,31 @@ impl ServerListener {
 			.as_ref()
 			.context("no tls keypair provided")?;

-		let public = tokio::fs::read(&tls_keypair[0])
-			.await
-			.context("failed to read public key")?;
-		let private = tokio::fs::read(&tls_keypair[1])
-			.await
-			.context("failed to read private key")?;
+		let mut public = BufReader::new(Cursor::new(
+			tokio::fs::read(&tls_keypair[0])
+				.await
+				.context("failed to read public key")?,
+		));
+		let public = certs(&mut public)
+			.collect::<Result<Vec<_>, _>>()
+			.context("failed to parse public key")?;
+		let mut private = BufReader::new(Cursor::new(
+			tokio::fs::read(&tls_keypair[1])
+				.await
+				.context("failed to read private key")?,
+		));
+		let private = private_key(&mut private)
+			.context("failed to parse private key")?
+			.context("no private key found")?;

-		let identity =
-			Identity::from_pkcs8(&public, &private).context("failed to create tls identity")?;
+		let cfg = Arc::new(
+			rustls::ServerConfig::builder()
+				.with_no_client_auth()
+				.with_single_cert(public, private)
+				.context("failed to create server config")?,
+		);

-		Ok(TlsAcceptor::from(native_tls::TlsAcceptor::new(identity)?))
+		Ok(TlsAcceptor::from(cfg))
 	}

 	pub async fn new() -> anyhow::Result<Self> {