1
1
mirror of https://github.com/wez/wezterm.git synced 2024-12-23 21:32:13 +03:00

tls: revisit cargo features

This commit adjusts the features in Cargo.toml to allow building
without openssl on unix systems.

It teaches the native_tls flavor of the code to perform bootstrapping
via ssh, but is still not usable because there still isn't a way
to get native_tls to use PEM files.
This commit is contained in:
Wez Furlong 2020-02-02 08:50:17 -08:00
parent 9b02089849
commit 274d22edda
6 changed files with 62 additions and 19 deletions

View File

@ -42,6 +42,7 @@ open = "1.2"
metrics = { version="0.12", features=["std"]}
hdrhistogram = "6.3"
native-tls = "0.2"
openssl = {version="0.10", optional=true}
# file change notification
notify = "4.0"
palette = "0.5"
@ -98,15 +99,17 @@ winrt-notification = "0.2"
[target.'cfg(any(target_os = "android", all(unix, not(target_os = "macos"))))'.dependencies]
fontconfig = { path = "deps/fontconfig" }
[target.'cfg(all(unix, not(target_os = "macos")))'.dependencies]
openssl = "0.10"
[target.'cfg(target_os = "macos")'.dependencies]
openssl = { version = "0.10", features = ["vendored"] }
core-foundation = "0.7"
core-graphics = "0.19"
core-text = "15.0"
[features]
default = ["enable_openssl", "vendor_openssl"]
enable_openssl = ["openssl"]
# FIXME: find a way to magically enable vendor_openssl only on macOS!
vendor_openssl = ["openssl/vendored"]
[workspace]
[profile.release]

View File

@ -448,7 +448,7 @@ impl Reconnectable {
Ok(())
}
#[cfg(any(feature = "openssl", unix))]
#[cfg(feature = "enable_openssl")]
pub fn tls_connect(
&mut self,
tls_client: TlsDomainClient,
@ -591,7 +591,7 @@ impl Reconnectable {
Ok(())
}
#[cfg(not(any(feature = "openssl", unix)))]
#[cfg(not(feature = "enable_openssl"))]
pub fn tls_connect(
&mut self,
tls_client: TlsDomainClient,
@ -611,13 +611,49 @@ impl Reconnectable {
)
})?;
if let Some(Ok(ssh_params)) = tls_client.ssh_parameters() {
if self.tls_creds.is_none() {
// We need to bootstrap via an ssh session
let sess =
ssh_connect_with_ui(&ssh_params.host_and_port, &ssh_params.username, ui)?;
let mut chan = sess.channel_session()?;
// The `tlscreds` command will start the server if needed and then
// obtain client credentials that we can use for tls.
let cmd = format!("{} cli tlscreds", Self::wezterm_bin_path());
ui.output_str(&format!("Running: {}\n", cmd));
chan.exec(&cmd)?;
let creds = match Pdu::decode(chan)?.pdu {
Pdu::GetTlsCredsResponse(creds) => creds,
_ => bail!("unexpected response to tlscreds"),
};
// Save the credentials to disk, as that is currently the easiest
// way to get them into the tls impl. Ideally we'd keep these entirely
// in memory.
std::fs::write(&self.tls_creds_ca_path()?, creds.ca_cert_pem.as_bytes())?;
std::fs::write(
&self.tls_creds_cert_path()?,
creds.client_cert_pem.as_bytes(),
)?;
self.tls_creds.replace(creds);
}
}
let cert_file = match tls_client.pem_cert.clone() {
Some(cert) => cert,
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
None => bail!("no pem_cert configured"),
};
let key_file = match tls_client.pem_private_key.clone() {
Some(key) => key,
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
None => bail!("no pem_private_key configured"),
};
let identity = IdentitySource::PemFiles {
key: tls_client
.pem_private_key
.as_ref()
.ok_or_else(|| anyhow!("missing pem_private_key config value"))?
.into(),
cert: tls_client.pem_cert.clone(),
key: key_file.into(),
cert: Some(cert_file),
chain: tls_client.pem_ca.clone(),
};

View File

@ -20,9 +20,9 @@ lazy_static::lazy_static! {
static ref PKI: pki::Pki = pki::Pki::init().expect("failed to initialize PKI");
}
#[cfg(not(any(feature = "openssl", unix)))]
#[cfg(not(feature = "enable_openssl"))]
use not_ossl as tls_impl;
#[cfg(any(feature = "openssl", unix))]
#[cfg(feature = "enable_openssl")]
use ossl as tls_impl;
#[derive(Debug)]

View File

@ -1,4 +1,5 @@
#![cfg(not(any(feature = "openssl", unix)))]
#![allow(unused)]
use super::*;
use native_tls::TlsAcceptor;
use std::convert::TryInto;
@ -72,5 +73,8 @@ pub fn pem_files_to_identity(
_cert: Option<PathBuf>,
_chain: Option<PathBuf>,
) -> anyhow::Result<Identity> {
bail!("recompile wezterm using --features openssl")
// This is a pain point in native_tls.
// Once https://github.com/sfackler/rust-native-tls/pull/147
// is done this might be doable in terms of pem files
bail!("recompile wezterm using --features enable_openssl")
}

View File

@ -1,4 +1,4 @@
#![cfg(any(feature = "openssl", unix))]
#![cfg(feature = "enable_openssl")]
use super::*;
use openssl::pkcs12::Pkcs12;
use openssl::pkey::PKey;

View File

@ -30,7 +30,7 @@ impl ReadAndWrite for native_tls::TlsStream<std::net::TcpStream> {
}
}
#[cfg(any(feature = "openssl", unix))]
#[cfg(feature = "enable_openssl")]
impl ReadAndWrite for openssl::ssl::SslStream<std::net::TcpStream> {
fn set_non_blocking(&self, non_blocking: bool) -> anyhow::Result<()> {
self.get_ref().set_nonblocking(non_blocking)?;
@ -134,7 +134,7 @@ impl AsPollFd for native_tls::TlsStream<TcpStream> {
}
}
#[cfg(any(feature = "openssl", unix))]
#[cfg(feature = "enable_openssl")]
impl AsPollFd for openssl::ssl::SslStream<TcpStream> {
fn as_poll_fd(&self) -> pollfd {
self.get_ref().as_socket_descriptor().as_poll_fd()