switch to rustls

2025-05-12 14:00:01 -04:00 · 2024-09-16 13:13:45 -07:00 · 2024-09-16 13:13:45 -07:00 · d6f1a8da43
commit d6f1a8da43
parent ee0ad89f3e
3 changed files with 41 additions and 172 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -435,22 +435,6 @@ version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"

-[[package]]
-name = "core-foundation"
-version = "0.9.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
-[[package]]
-name = "core-foundation-sys"
-version = "0.8.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
-
 [[package]]
 name = "cpufeatures"
 version = "0.2.13"
@ -764,6 +748,7 @@ dependencies = [
 "nix",
 "pty-process",
 "regex",
+ "rustls-pemfile",
 "serde",
 "serde_json",
 "serde_yaml",
@ -772,7 +757,7 @@ dependencies = [
 "tikv-jemalloc-ctl",
 "tikv-jemallocator",
 "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
 "tokio-util",
 "toml",
 "uuid",
@ -807,12 +792,6 @@ dependencies = [
 "pin-project-lite",
 ]

-[[package]]
-name = "fastrand"
-version = "2.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8c02a5121d4ea3eb16a80748c74f5549a5665e4c21333c6098f283870fbdea6"
-
 [[package]]
 name = "fastwebsockets"
 version = "0.8.0"
@ -866,21 +845,6 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"

-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@ -1541,23 +1505,6 @@ dependencies = [
 "getrandom",
 ]

-[[package]]
-name = "native-tls"
-version = "0.2.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "nix"
 version = "0.29.0"
@ -1625,50 +1572,6 @@ version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"

-[[package]]
-name = "openssl"
-version = "0.10.66"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1"
-dependencies = [
- "bitflags",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "openssl-probe"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
-
-[[package]]
-name = "openssl-sys"
-version = "0.9.103"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6"
-dependencies = [
- "cc",
- "libc",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "parking"
 version = "2.2.0"
@ -2064,44 +1967,12 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"

-[[package]]
-name = "schannel"
-version = "0.1.24"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9aaafd5a2b6e3d657ff009d82fbd630b6bd54dd4eb06f21693925cdf80f9b8b"
-dependencies = [
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

-[[package]]
-name = "security-framework"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags",
- "core-foundation",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
-[[package]]
-name = "security-framework-sys"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75da29fe9b9b08fe9d6b22b5b4bcbc75d8db3aa31e639aa56bb62e9d46bfceaf"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "semver"
 version = "1.0.23"
@ -2347,19 +2218,6 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"

-[[package]]
-name = "tempfile"
-version = "3.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04cbcdd0c794ebb0d4cf35e88edd2f7d2c4c3e9a5a6dab322839b321c6a87a64"
-dependencies = [
- "cfg-if",
- "fastrand",
- "once_cell",
- "rustix",
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "thiserror"
 version = "1.0.63"
@ -2500,12 +2358,13 @@ dependencies = [
 ]

 [[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
+name = "tokio-rustls"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
- "native-tls",
+ "rustls",
+ "rustls-pki-types",
 "tokio",
 ]

@ -2996,15 +2855,6 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

-[[package]]
-name = "windows-sys"
-version = "0.59.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
-dependencies = [
- "windows-targets 0.52.6",
-]
-
 [[package]]
 name = "windows-targets"
 version = "0.48.5"
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@ -25,6 +25,7 @@ log = { version = "0.4.22", features = ["serde", "std"] }
 nix = { version = "0.29.0", features = ["term"] }
 pty-process = { version = "0.4.0", features = ["async", "tokio"], optional = true }
 regex = "1.10.6"
+rustls-pemfile = "2.1.3"
 serde = { version = "1.0.208", features = ["derive"] }
 serde_json = { version = "1.0.125", optional = true }
 serde_yaml = { version = "0.9.34", optional = true }
@ -33,7 +34,7 @@ shell-words = { version = "1.1.0", optional = true }
 tikv-jemalloc-ctl = { version = "0.6.0", features = ["stats", "use_std"] }
 tikv-jemallocator = "0.6.0"
 tokio = { version = "1.39.3", features = ["full"] }
-tokio-native-tls = "0.3.1"
+tokio-rustls = { version = "0.26.0", features = ["ring", "tls12"], default-features = false }
 tokio-util = { version = "0.7.11", features = ["codec", "compat", "io-util", "net"] }
 toml = { version = "0.8.19", optional = true }
 uuid = { version = "1.10.0", features = ["v4"] }
--- a/server/src/listener.rs
+++ b/server/src/listener.rs
@ -1,15 +1,19 @@
-use std::{os::fd::AsFd, path::PathBuf, pin::Pin};
+use std::{
+	io::{BufReader, Cursor},
+	os::fd::AsFd,
+	path::PathBuf,
+	pin::Pin,
+	sync::Arc,
+};

 use anyhow::Context;
+use rustls_pemfile::{certs, private_key};
 use tokio::{
 	fs::{remove_file, try_exists, File},
 	io::{AsyncBufRead, AsyncRead, AsyncWrite, ReadHalf, WriteHalf},
 	net::{tcp, unix, TcpListener, TcpStream, UnixListener, UnixStream},
 };
-use tokio_native_tls::{
-	native_tls::{self, Identity},
-	TlsAcceptor, TlsStream,
-};
+use tokio_rustls::{rustls, server::TlsStream, TlsAcceptor};
 use uuid::Uuid;

 use crate::{config::SocketType, CONFIG};
@ -299,17 +303,31 @@ impl ServerListener {
 			.as_ref()
 			.context("no tls keypair provided")?;

-		let public = tokio::fs::read(&tls_keypair[0])
+		let mut public = BufReader::new(Cursor::new(
+			tokio::fs::read(&tls_keypair[0])
 				.await
-			.context("failed to read public key")?;
-		let private = tokio::fs::read(&tls_keypair[1])
+				.context("failed to read public key")?,
+		));
+		let public = certs(&mut public)
+			.collect::<Result<Vec<_>, _>>()
+			.context("failed to parse public key")?;
+		let mut private = BufReader::new(Cursor::new(
+			tokio::fs::read(&tls_keypair[1])
 				.await
-			.context("failed to read private key")?;
+				.context("failed to read private key")?,
+		));
+		let private = private_key(&mut private)
+			.context("failed to parse private key")?
+			.context("no private key found")?;

-		let identity =
-			Identity::from_pkcs8(&public, &private).context("failed to create tls identity")?;
+		let cfg = Arc::new(
+			rustls::ServerConfig::builder()
+				.with_no_client_auth()
+				.with_single_cert(public, private)
+				.context("failed to create server config")?,
+		);

-		Ok(TlsAcceptor::from(native_tls::TlsAcceptor::new(identity)?))
+		Ok(TlsAcceptor::from(cfg))
 	}

 	pub async fn new() -> anyhow::Result<Self> {