mirrors/doh-server
1
0
Fork 0
mirror of https://github.com/DNSCrypt/doh-server.git synced 2025-04-05 14:07:37 +03:00
Code Issues Projects Releases Packages Wiki Activity

Painful update of rustls

Browse source
This commit is contained in:
Frank Denis 2021-10-29 20:13:47 +02:00
parent e6fe51647d
commit 46be8b9662
2 changed files with 36 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/libdoh/Cargo.toml
View file

@ -15,18 +15,19 @@ default = ["tls"]
tls = ["tokio-rustls"] tls = ["tokio-rustls"]
[dependencies] [dependencies]
anyhow = "1.0.43" anyhow = "1.0.44"
arc-swap = "1.3.2" arc-swap = "1.4.0"
base64 = "0.13.0" base64 = "0.13.0"
byteorder = "1.4.3" byteorder = "1.4.3"
bytes = "1.1.0" bytes = "1.1.0"
futures = "0.3.17" futures = "0.3.17"
hpke = "0.5.1" hpke = "0.5.1"
hyper = { version = "0.14.12", default-features = false, features = ["server", "http1", "http2", "stream"] } hyper = { version = "0.14.14", default-features = false, features = ["server", "http1", "http2", "stream"] }
odoh-rs = "1.0.0-alpha.1" odoh-rs = "1.0.0-alpha.1"
rand = "0.8.4" rand = "0.8.4"
tokio = { version = "1.11.0", features = ["net", "rt-multi-thread", "parking_lot", "time", "sync"] } tokio = { version = "1.13.0", features = ["net", "rt-multi-thread", "parking_lot", "time", "sync"] }
tokio-rustls = { version = "0.22.0", features = ["early-data"], optional = true } tokio-rustls = { version = "0.23.0", features = ["early-data"], optional = true }
rustls-pemfile = "0.2.1"
[profile.release] [profile.release]
codegen-units = 1 codegen-units = 1

52
src/libdoh/src/tls.rs
View file

@ -14,7 +14,7 @@ use tokio::{
sync::mpsc::{self, Receiver}, sync::mpsc::{self, Receiver},
}; };
use tokio_rustls::{ use tokio_rustls::{
rustls::{internal::pemfile, NoClientAuth, ServerConfig}, rustls::{Certificate, PrivateKey, ServerConfig},
TlsAcceptor, TlsAcceptor,
}; };
@ -23,7 +23,7 @@ where
P: AsRef<Path>, P: AsRef<Path>,
P2: AsRef<Path>, P2: AsRef<Path>,
{ {
let certs = { let certs: Vec<_> = {
let certs_path_str = certs_path.as_ref().display().to_string(); let certs_path_str = certs_path.as_ref().display().to_string();
let mut reader = BufReader::new(File::open(certs_path).map_err(|e| { let mut reader = BufReader::new(File::open(certs_path).map_err(|e| {
io::Error::new( io::Error::new(
@ -31,18 +31,21 @@ where
format!( format!(
"Unable to load the certificates [{}]: {}", "Unable to load the certificates [{}]: {}",
certs_path_str, certs_path_str,
e.to_string() e
), ),
) )
})?); })?);
pemfile::certs(&mut reader).map_err(|_| { rustls_pemfile::certs(&mut reader).map_err(|_| {
io::Error::new( io::Error::new(
io::ErrorKind::InvalidInput, io::ErrorKind::InvalidInput,
"Unable to parse the certificates", "Unable to parse the certificates",
) )
})? })?
}; }
let certs_keys = { .drain(..)
.map(Certificate)
.collect();
let certs_keys: Vec<_> = {
let certs_keys_path_str = certs_keys_path.as_ref().display().to_string(); let certs_keys_path_str = certs_keys_path.as_ref().display().to_string();
let encoded_keys = { let encoded_keys = {
let mut encoded_keys = vec![]; let mut encoded_keys = vec![];
@ -53,7 +56,7 @@ where
format!( format!(
"Unable to load the certificate keys [{}]: {}", "Unable to load the certificate keys [{}]: {}",
certs_keys_path_str, certs_keys_path_str,
e.to_string() e
), ),
) )
})? })?
@ -61,14 +64,14 @@ where
encoded_keys encoded_keys
}; };
let mut reader = Cursor::new(encoded_keys); let mut reader = Cursor::new(encoded_keys);
let pkcs8_keys = pemfile::pkcs8_private_keys(&mut reader).map_err(|_| { let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader).map_err(|_| {
io::Error::new( io::Error::new(
io::ErrorKind::InvalidInput, io::ErrorKind::InvalidInput,
"Unable to parse the certificates private keys (PKCS8)", "Unable to parse the certificates private keys (PKCS8)",
) )
})?; })?;
reader.set_position(0); reader.set_position(0);
let mut rsa_keys = pemfile::rsa_private_keys(&mut reader).map_err(|_| { let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader).map_err(|_| {
io::Error::new( io::Error::new(
io::ErrorKind::InvalidInput, io::ErrorKind::InvalidInput,
"Unable to parse the certificates private keys (RSA)", "Unable to parse the certificates private keys (RSA)",
@ -82,21 +85,26 @@ where
"No private keys found - Make sure that they are in PKCS#8/PEM format", "No private keys found - Make sure that they are in PKCS#8/PEM format",
)); ));
} }
keys keys.drain(..).map(PrivateKey).collect()
}; };
let mut server_config = ServerConfig::new(NoClientAuth::new());
server_config.set_protocols(&[b"h2".to_vec(), b"http/1.1".to_vec()]); let mut server_config = None;
let has_valid_cert_and_key = certs_keys.into_iter().any(|certs_key| { for certs_key in certs_keys {
server_config let server_config_builder = ServerConfig::builder()
.set_single_cert(certs.clone(), certs_key) .with_safe_defaults()
.is_ok() .with_no_client_auth();
}); if let Ok(found_config) = server_config_builder.with_single_cert(certs.clone(), certs_key) {
if !has_valid_cert_and_key { server_config = Some(found_config);
return Err(io::Error::new( break;
io::ErrorKind::InvalidInput,
"Invalid private key for the given certificate",
));
} }
}
let mut server_config = server_config.ok_or_else(|| {
io::Error::new(
io::ErrorKind::InvalidInput,
"Unable to find a valid certificate and key",
)
})?;
server_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
Ok(TlsAcceptor::from(Arc::new(server_config))) Ok(TlsAcceptor::from(Arc::new(server_config)))
} }