Skip to content

Commit

Permalink
Port link-tls to tokio and bump workspace rustls to 0.22.2
Browse files Browse the repository at this point in the history
  • Loading branch information
YuanYuYuan committed Jan 10, 2024
1 parent bdbac9d commit fb208f6
Show file tree
Hide file tree
Showing 8 changed files with 240 additions and 261 deletions.
5 changes: 3 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ anyhow = { version = "1.0.69", default-features = false } # Default features are
async-executor = "1.5.0"
async-global-executor = "2.3.1"
async-io = "=1.13.0"
async-rustls = "0.4.0"
async-std = { version = "=1.12.0", default-features = false } # Default features are disabled due to some crates' requirements
async-trait = "0.1.60"
base64 = "0.21.4"
Expand Down Expand Up @@ -126,10 +125,11 @@ regex = "1.7.1"
ringbuffer-spsc = "0.1.9"
rsa = "0.9"
rustc_version = "0.4.0"
rustls = { version = "0.21.5", features = ["dangerous_configuration"] }
rustls = "0.22.2"
rustls-native-certs = "0.7.0"
rustls-pemfile = "2.0.0"
rustls-webpki = "0.102.0"
rustls-pki-types = "1.1.0"
schemars = "0.8.12"
secrecy = { version = "0.8.0", features = ["serde", "alloc"] }
serde = { version = "1.0.154", default-features = false, features = [
Expand All @@ -148,6 +148,7 @@ token-cell = { version = "1.4.2", default-features = false }
tokio = { version = "1.32.0", default-features = false } # Default features are disabled due to some crates' requirements
tokio-util = "0.7.10"
tokio-tungstenite = "0.20"
tokio-rustls = "0.25.0"
console-subscriber = "0.2"
typenum = "1.16.0"
uhlc = { version = "0.6.0", default-features = false } # Default features are disabled due to usage in no_std crates
Expand Down
3 changes: 2 additions & 1 deletion io/zenoh-link-commons/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,9 @@ description = "Internal crate for zenoh."
compression = []

[dependencies]
async-std = { workspace = true }
async-trait = { workspace = true }
rustls = { workspace = true }
rustls-webpki = { workspace = true }
flume = { workspace = true }
lz4_flex = { workspace = true }
serde = { workspace = true, features = ["default"] }
Expand Down
1 change: 1 addition & 0 deletions io/zenoh-link-commons/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
extern crate alloc;

mod multicast;
pub mod tls;
mod unicast;

use alloc::{borrow::ToOwned, boxed::Box, string::String};
Expand Down
87 changes: 87 additions & 0 deletions io/zenoh-link-commons/src/tls.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
use alloc::vec::Vec;
use rustls::{
client::{
danger::{ServerCertVerified, ServerCertVerifier},
verify_server_cert_signed_by_trust_anchor,
},
crypto::{verify_tls12_signature, verify_tls13_signature},
pki_types::{CertificateDer, ServerName, UnixTime},
server::ParsedCertificate,
RootCertStore,
};
use webpki::ALL_VERIFICATION_ALGS;

impl ServerCertVerifier for WebPkiVerifierAnyServerName {
/// Will verify the certificate is valid in the following ways:
/// - Signed by a trusted `RootCertStore` CA
/// - Not Expired
fn verify_server_cert(
&self,
end_entity: &CertificateDer<'_>,
intermediates: &[CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp_response: &[u8],
now: UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
let cert = ParsedCertificate::try_from(end_entity)?;
verify_server_cert_signed_by_trust_anchor(
&cert,
&self.roots,
intermediates,
now,
ALL_VERIFICATION_ALGS,
)?;
Ok(ServerCertVerified::assertion())
}

fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
verify_tls12_signature(
message,
cert,
dss,
&rustls::crypto::ring::default_provider().signature_verification_algorithms,
)
}

fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
verify_tls13_signature(
message,
cert,
dss,
&rustls::crypto::ring::default_provider().signature_verification_algorithms,
)
}

fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
rustls::crypto::ring::default_provider()
.signature_verification_algorithms
.supported_schemes()
}
}

/// `ServerCertVerifier` that verifies that the server is signed by a trusted root, but allows any serverName
/// see the trait impl for more information.
#[derive(Debug)]
pub struct WebPkiVerifierAnyServerName {
roots: RootCertStore,
}

#[allow(unreachable_pub)]
impl WebPkiVerifierAnyServerName {
/// Constructs a new `WebPkiVerifierAnyServerName`.
///
/// `roots` is the set of trust anchors to trust for issuing server certs.
pub fn new(roots: RootCertStore) -> Self {
Self { roots }
}
}
13 changes: 8 additions & 5 deletions io/zenoh-links/zenoh-link-tls/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,21 +25,24 @@ description = "Internal crate for zenoh."
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
async-rustls = { workspace = true }
rustls = { workspace = true }
async-std = { workspace = true }
async-trait = { workspace = true }
base64 = { workspace = true }
futures = { workspace = true }
log = { workspace = true }
rustls = { workspace = true }
rustls-pemfile = { workspace = true }
rustls-pki-types = { workspace = true }
rustls-webpki = { workspace = true }
secrecy = {workspace = true }
tokio = { workspace = true, features = ["io-util", "net", "fs", "sync"] }
tokio-rustls = { workspace = true }
tokio-util = { workspace = true, features = ["rt"] }
webpki-roots = { workspace = true }
zenoh-config = { workspace = true }
zenoh-core = { workspace = true }
zenoh-link-commons = { workspace = true }
zenoh-protocol = { workspace = true }
zenoh-result = { workspace = true }
zenoh-runtime = { workspace = true }
zenoh-sync = { workspace = true }
zenoh-util = { workspace = true }
base64 = { workspace = true }
secrecy = {workspace = true }
8 changes: 3 additions & 5 deletions io/zenoh-links/zenoh-link-tls/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,14 @@
//! This crate is intended for Zenoh's internal use.
//!
//! [Click here for Zenoh's documentation](../zenoh/index.html)
use async_rustls::rustls::ServerName;
use async_std::net::ToSocketAddrs;
use async_trait::async_trait;
use config::{
TLS_CLIENT_AUTH, TLS_CLIENT_CERTIFICATE_BASE64, TLS_CLIENT_CERTIFICATE_FILE,
TLS_CLIENT_PRIVATE_KEY_BASE64, TLS_CLIENT_PRIVATE_KEY_FILE, TLS_ROOT_CA_CERTIFICATE_BASE64,
TLS_ROOT_CA_CERTIFICATE_FILE, TLS_SERVER_CERTIFICATE_BASE64, TLS_SERVER_CERTIFICATE_FILE,
TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_PRIVATE_KEY_BASE_64, TLS_SERVER_PRIVATE_KEY_FILE,
};
use rustls_pki_types::ServerName;
use secrecy::ExposeSecret;
use std::{convert::TryFrom, net::SocketAddr};
use zenoh_config::Config;
Expand All @@ -38,7 +37,6 @@ use zenoh_protocol::core::{
use zenoh_result::{bail, zerror, ZResult};

mod unicast;
mod verify;
pub use unicast::*;

// Default MTU (TLS PDU) in bytes.
Expand Down Expand Up @@ -212,7 +210,7 @@ pub mod config {
}

pub async fn get_tls_addr(address: &Address<'_>) -> ZResult<SocketAddr> {
match address.as_str().to_socket_addrs().await?.next() {
match tokio::net::lookup_host(address.as_str()).await?.next() {
Some(addr) => Ok(addr),
None => bail!("Couldn't resolve TLS locator address: {}", address),
}
Expand All @@ -226,7 +224,7 @@ pub fn get_tls_host<'a>(address: &'a Address<'a>) -> ZResult<&'a str> {
.ok_or_else(|| zerror!("Invalid TLS address").into())
}

pub fn get_tls_server_name(address: &Address<'_>) -> ZResult<ServerName> {
pub fn get_tls_server_name<'a>(address: &'a Address<'a>) -> ZResult<ServerName<'a>> {
Ok(ServerName::try_from(get_tls_host(address)?).map_err(|e| zerror!(e))?)
}

Expand Down
Loading

0 comments on commit fb208f6

Please sign in to comment.