2020-09-03 05:41:31 +00:00
|
|
|
use std::io;
|
2019-09-14 15:10:00 +00:00
|
|
|
use std::future::Future;
|
|
|
|
|
use std::net::SocketAddr;
|
|
|
|
|
use std::pin::Pin;
|
|
|
|
|
use std::sync::Arc;
|
|
|
|
|
use std::task::{Context, Poll};
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
use rustls::internal::pemfile;
|
|
|
|
|
use rustls::{Certificate, PrivateKey, ServerConfig};
|
2019-12-11 00:34:23 +00:00
|
|
|
use tokio::net::{TcpListener, TcpStream};
|
2020-09-03 05:41:31 +00:00
|
|
|
use tokio_rustls::{TlsAcceptor, Accept, server::TlsStream};
|
2019-09-14 15:10:00 +00:00
|
|
|
use tokio_rustls::rustls;
|
2019-06-30 16:45:17 +00:00
|
|
|
|
2019-09-14 15:10:00 +00:00
|
|
|
use crate::listener::{Connection, Listener};
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
fn load_certs(reader: &mut dyn io::BufRead) -> io::Result<Vec<Certificate>> {
|
|
|
|
|
pemfile::certs(reader)
|
|
|
|
|
.map_err(|_| io::Error::new(io::ErrorKind::Other, "invalid certificate"))
|
2019-09-14 15:10:00 +00:00
|
|
|
}
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
fn load_private_key(reader: &mut dyn io::BufRead) -> io::Result<PrivateKey> {
|
|
|
|
|
use std::io::{Cursor, Error, Read, ErrorKind::Other};
|
2019-09-14 15:10:00 +00:00
|
|
|
|
|
|
|
|
// "rsa" (PKCS1) PEM files have a different first-line header than PKCS8
|
|
|
|
|
// PEM files, use that to determine the parse function to use.
|
|
|
|
|
let mut first_line = String::new();
|
2020-09-03 05:41:31 +00:00
|
|
|
reader.read_line(&mut first_line)?;
|
2019-09-14 15:10:00 +00:00
|
|
|
|
|
|
|
|
let private_keys_fn = match first_line.trim_end() {
|
|
|
|
|
"-----BEGIN RSA PRIVATE KEY-----" => pemfile::rsa_private_keys,
|
|
|
|
|
"-----BEGIN PRIVATE KEY-----" => pemfile::pkcs8_private_keys,
|
2020-09-03 05:41:31 +00:00
|
|
|
_ => return Err(Error::new(Other, "invalid key header"))
|
2019-09-14 15:10:00 +00:00
|
|
|
};
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
let key = private_keys_fn(&mut Cursor::new(first_line).chain(reader))
|
|
|
|
|
.map_err(|_| Error::new(Other, "invalid key file"))
|
2019-09-14 15:10:00 +00:00
|
|
|
.and_then(|mut keys| match keys.len() {
|
2020-09-03 05:41:31 +00:00
|
|
|
0 => Err(Error::new(Other, "no valid keys found; is the file malformed?")),
|
2019-09-14 15:10:00 +00:00
|
|
|
1 => Ok(keys.remove(0)),
|
2020-09-03 05:41:31 +00:00
|
|
|
n => Err(Error::new(Other, format!("expected 1 key, found {}", n))),
|
2019-09-14 15:10:00 +00:00
|
|
|
})?;
|
|
|
|
|
|
|
|
|
|
// Ensure we can use the key.
|
2020-09-03 05:41:31 +00:00
|
|
|
rustls::sign::RSASigningKey::new(&key)
|
|
|
|
|
.map_err(|_| Error::new(Other, "key parsed but is unusable"))
|
|
|
|
|
.map(|_| key)
|
2019-09-14 15:10:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub struct TlsListener {
|
|
|
|
|
listener: TcpListener,
|
|
|
|
|
acceptor: TlsAcceptor,
|
|
|
|
|
state: TlsListenerState,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
enum TlsListenerState {
|
|
|
|
|
Listening,
|
2020-09-03 05:41:31 +00:00
|
|
|
Accepting(Accept<TcpStream>),
|
2019-09-14 15:10:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Listener for TlsListener {
|
|
|
|
|
type Connection = TlsStream<TcpStream>;
|
|
|
|
|
|
|
|
|
|
fn local_addr(&self) -> Option<SocketAddr> {
|
|
|
|
|
self.listener.local_addr().ok()
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
fn poll_accept(&mut self, cx: &mut Context<'_>) -> Poll<io::Result<Self::Connection>> {
|
2019-09-14 15:10:00 +00:00
|
|
|
loop {
|
2020-09-03 05:41:31 +00:00
|
|
|
match self.state {
|
2019-09-14 15:10:00 +00:00
|
|
|
TlsListenerState::Listening => {
|
|
|
|
|
match self.listener.poll_accept(cx) {
|
|
|
|
|
Poll::Pending => return Poll::Pending,
|
2020-09-03 05:41:31 +00:00
|
|
|
Poll::Ready(Err(e)) => return Poll::Ready(Err(e)),
|
2019-12-11 00:34:23 +00:00
|
|
|
Poll::Ready(Ok((stream, _addr))) => {
|
2020-09-03 05:41:31 +00:00
|
|
|
let fut = self.acceptor.accept(stream);
|
|
|
|
|
self.state = TlsListenerState::Accepting(fut);
|
2019-09-14 15:10:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-09-03 05:41:31 +00:00
|
|
|
TlsListenerState::Accepting(ref mut fut) => {
|
|
|
|
|
match Pin::new(fut).poll(cx) {
|
2019-09-14 15:10:00 +00:00
|
|
|
Poll::Pending => return Poll::Pending,
|
|
|
|
|
Poll::Ready(result) => {
|
|
|
|
|
self.state = TlsListenerState::Listening;
|
|
|
|
|
return Poll::Ready(result);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-03 05:41:31 +00:00
|
|
|
pub async fn bind_tls<C: io::BufRead + Send, K: io::BufRead + Send>(
|
2020-07-09 05:05:54 +00:00
|
|
|
address: SocketAddr,
|
2020-09-03 05:41:31 +00:00
|
|
|
mut cert_chain: C,
|
|
|
|
|
mut private_key: K,
|
2020-07-09 05:05:54 +00:00
|
|
|
) -> io::Result<TlsListener> {
|
2020-09-03 05:41:31 +00:00
|
|
|
let cert_chain = load_certs(&mut cert_chain).map_err(|e| {
|
|
|
|
|
let msg = format!("malformed TLS certificate chain: {}", e);
|
|
|
|
|
io::Error::new(e.kind(), msg)
|
|
|
|
|
})?;
|
|
|
|
|
|
|
|
|
|
let key = load_private_key(&mut private_key).map_err(|e| {
|
|
|
|
|
let msg = format!("malformed TLS private key: {}", e);
|
|
|
|
|
io::Error::new(e.kind(), msg)
|
|
|
|
|
})?;
|
|
|
|
|
|
2020-07-09 05:05:54 +00:00
|
|
|
let listener = TcpListener::bind(address).await?;
|
|
|
|
|
|
|
|
|
|
let client_auth = rustls::NoClientAuth::new();
|
|
|
|
|
let mut tls_config = ServerConfig::new(client_auth);
|
|
|
|
|
let cache = rustls::ServerSessionMemoryCache::new(1024);
|
|
|
|
|
tls_config.set_persistence(cache);
|
|
|
|
|
tls_config.ticketer = rustls::Ticketer::new();
|
|
|
|
|
tls_config.set_single_cert(cert_chain, key).expect("invalid key");
|
|
|
|
|
|
|
|
|
|
let acceptor = TlsAcceptor::from(Arc::new(tls_config));
|
|
|
|
|
let state = TlsListenerState::Listening;
|
|
|
|
|
|
|
|
|
|
Ok(TlsListener { listener, acceptor, state })
|
2019-09-14 15:10:00 +00:00
|
|
|
}
|
2019-06-30 16:45:17 +00:00
|
|
|
|
2019-09-14 15:10:00 +00:00
|
|
|
impl Connection for TlsStream<TcpStream> {
|
|
|
|
|
fn remote_addr(&self) -> Option<SocketAddr> {
|
|
|
|
|
self.get_ref().0.remote_addr()
|
|
|
|
|
}
|
|
|
|
|
}
|
