mirror of
https://github.com/wez/wezterm.git
synced 2024-12-24 22:01:47 +03:00
tls: revisit cargo features
This commit adjusts the features in Cargo.toml to allow building without openssl on unix systems. It teaches the native_tls flavor of the code to perform bootstrapping via ssh, but is still not usable because there still isn't a way to get native_tls to use PEM files.
This commit is contained in:
parent
9b02089849
commit
274d22edda
11
Cargo.toml
11
Cargo.toml
@ -42,6 +42,7 @@ open = "1.2"
|
|||||||
metrics = { version="0.12", features=["std"]}
|
metrics = { version="0.12", features=["std"]}
|
||||||
hdrhistogram = "6.3"
|
hdrhistogram = "6.3"
|
||||||
native-tls = "0.2"
|
native-tls = "0.2"
|
||||||
|
openssl = {version="0.10", optional=true}
|
||||||
# file change notification
|
# file change notification
|
||||||
notify = "4.0"
|
notify = "4.0"
|
||||||
palette = "0.5"
|
palette = "0.5"
|
||||||
@ -98,15 +99,17 @@ winrt-notification = "0.2"
|
|||||||
[target.'cfg(any(target_os = "android", all(unix, not(target_os = "macos"))))'.dependencies]
|
[target.'cfg(any(target_os = "android", all(unix, not(target_os = "macos"))))'.dependencies]
|
||||||
fontconfig = { path = "deps/fontconfig" }
|
fontconfig = { path = "deps/fontconfig" }
|
||||||
|
|
||||||
[target.'cfg(all(unix, not(target_os = "macos")))'.dependencies]
|
|
||||||
openssl = "0.10"
|
|
||||||
|
|
||||||
[target.'cfg(target_os = "macos")'.dependencies]
|
[target.'cfg(target_os = "macos")'.dependencies]
|
||||||
openssl = { version = "0.10", features = ["vendored"] }
|
|
||||||
core-foundation = "0.7"
|
core-foundation = "0.7"
|
||||||
core-graphics = "0.19"
|
core-graphics = "0.19"
|
||||||
core-text = "15.0"
|
core-text = "15.0"
|
||||||
|
|
||||||
|
[features]
|
||||||
|
default = ["enable_openssl", "vendor_openssl"]
|
||||||
|
enable_openssl = ["openssl"]
|
||||||
|
# FIXME: find a way to magically enable vendor_openssl only on macOS!
|
||||||
|
vendor_openssl = ["openssl/vendored"]
|
||||||
|
|
||||||
[workspace]
|
[workspace]
|
||||||
|
|
||||||
[profile.release]
|
[profile.release]
|
||||||
|
@ -448,7 +448,7 @@ impl Reconnectable {
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(any(feature = "openssl", unix))]
|
#[cfg(feature = "enable_openssl")]
|
||||||
pub fn tls_connect(
|
pub fn tls_connect(
|
||||||
&mut self,
|
&mut self,
|
||||||
tls_client: TlsDomainClient,
|
tls_client: TlsDomainClient,
|
||||||
@ -591,7 +591,7 @@ impl Reconnectable {
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(not(any(feature = "openssl", unix)))]
|
#[cfg(not(feature = "enable_openssl"))]
|
||||||
pub fn tls_connect(
|
pub fn tls_connect(
|
||||||
&mut self,
|
&mut self,
|
||||||
tls_client: TlsDomainClient,
|
tls_client: TlsDomainClient,
|
||||||
@ -611,13 +611,49 @@ impl Reconnectable {
|
|||||||
)
|
)
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
|
if let Some(Ok(ssh_params)) = tls_client.ssh_parameters() {
|
||||||
|
if self.tls_creds.is_none() {
|
||||||
|
// We need to bootstrap via an ssh session
|
||||||
|
let sess =
|
||||||
|
ssh_connect_with_ui(&ssh_params.host_and_port, &ssh_params.username, ui)?;
|
||||||
|
let mut chan = sess.channel_session()?;
|
||||||
|
|
||||||
|
// The `tlscreds` command will start the server if needed and then
|
||||||
|
// obtain client credentials that we can use for tls.
|
||||||
|
let cmd = format!("{} cli tlscreds", Self::wezterm_bin_path());
|
||||||
|
ui.output_str(&format!("Running: {}\n", cmd));
|
||||||
|
chan.exec(&cmd)?;
|
||||||
|
let creds = match Pdu::decode(chan)?.pdu {
|
||||||
|
Pdu::GetTlsCredsResponse(creds) => creds,
|
||||||
|
_ => bail!("unexpected response to tlscreds"),
|
||||||
|
};
|
||||||
|
|
||||||
|
// Save the credentials to disk, as that is currently the easiest
|
||||||
|
// way to get them into the tls impl. Ideally we'd keep these entirely
|
||||||
|
// in memory.
|
||||||
|
std::fs::write(&self.tls_creds_ca_path()?, creds.ca_cert_pem.as_bytes())?;
|
||||||
|
std::fs::write(
|
||||||
|
&self.tls_creds_cert_path()?,
|
||||||
|
creds.client_cert_pem.as_bytes(),
|
||||||
|
)?;
|
||||||
|
self.tls_creds.replace(creds);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let cert_file = match tls_client.pem_cert.clone() {
|
||||||
|
Some(cert) => cert,
|
||||||
|
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
|
||||||
|
None => bail!("no pem_cert configured"),
|
||||||
|
};
|
||||||
|
let key_file = match tls_client.pem_private_key.clone() {
|
||||||
|
Some(key) => key,
|
||||||
|
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
|
||||||
|
None => bail!("no pem_private_key configured"),
|
||||||
|
};
|
||||||
|
|
||||||
let identity = IdentitySource::PemFiles {
|
let identity = IdentitySource::PemFiles {
|
||||||
key: tls_client
|
key: key_file.into(),
|
||||||
.pem_private_key
|
cert: Some(cert_file),
|
||||||
.as_ref()
|
|
||||||
.ok_or_else(|| anyhow!("missing pem_private_key config value"))?
|
|
||||||
.into(),
|
|
||||||
cert: tls_client.pem_cert.clone(),
|
|
||||||
chain: tls_client.pem_ca.clone(),
|
chain: tls_client.pem_ca.clone(),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -20,9 +20,9 @@ lazy_static::lazy_static! {
|
|||||||
static ref PKI: pki::Pki = pki::Pki::init().expect("failed to initialize PKI");
|
static ref PKI: pki::Pki = pki::Pki::init().expect("failed to initialize PKI");
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(not(any(feature = "openssl", unix)))]
|
#[cfg(not(feature = "enable_openssl"))]
|
||||||
use not_ossl as tls_impl;
|
use not_ossl as tls_impl;
|
||||||
#[cfg(any(feature = "openssl", unix))]
|
#[cfg(feature = "enable_openssl")]
|
||||||
use ossl as tls_impl;
|
use ossl as tls_impl;
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
#![cfg(not(any(feature = "openssl", unix)))]
|
#![allow(unused)]
|
||||||
|
|
||||||
use super::*;
|
use super::*;
|
||||||
use native_tls::TlsAcceptor;
|
use native_tls::TlsAcceptor;
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
@ -72,5 +73,8 @@ pub fn pem_files_to_identity(
|
|||||||
_cert: Option<PathBuf>,
|
_cert: Option<PathBuf>,
|
||||||
_chain: Option<PathBuf>,
|
_chain: Option<PathBuf>,
|
||||||
) -> anyhow::Result<Identity> {
|
) -> anyhow::Result<Identity> {
|
||||||
bail!("recompile wezterm using --features openssl")
|
// This is a pain point in native_tls.
|
||||||
|
// Once https://github.com/sfackler/rust-native-tls/pull/147
|
||||||
|
// is done this might be doable in terms of pem files
|
||||||
|
bail!("recompile wezterm using --features enable_openssl")
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#![cfg(any(feature = "openssl", unix))]
|
#![cfg(feature = "enable_openssl")]
|
||||||
use super::*;
|
use super::*;
|
||||||
use openssl::pkcs12::Pkcs12;
|
use openssl::pkcs12::Pkcs12;
|
||||||
use openssl::pkey::PKey;
|
use openssl::pkey::PKey;
|
||||||
|
@ -30,7 +30,7 @@ impl ReadAndWrite for native_tls::TlsStream<std::net::TcpStream> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(any(feature = "openssl", unix))]
|
#[cfg(feature = "enable_openssl")]
|
||||||
impl ReadAndWrite for openssl::ssl::SslStream<std::net::TcpStream> {
|
impl ReadAndWrite for openssl::ssl::SslStream<std::net::TcpStream> {
|
||||||
fn set_non_blocking(&self, non_blocking: bool) -> anyhow::Result<()> {
|
fn set_non_blocking(&self, non_blocking: bool) -> anyhow::Result<()> {
|
||||||
self.get_ref().set_nonblocking(non_blocking)?;
|
self.get_ref().set_nonblocking(non_blocking)?;
|
||||||
@ -134,7 +134,7 @@ impl AsPollFd for native_tls::TlsStream<TcpStream> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(any(feature = "openssl", unix))]
|
#[cfg(feature = "enable_openssl")]
|
||||||
impl AsPollFd for openssl::ssl::SslStream<TcpStream> {
|
impl AsPollFd for openssl::ssl::SslStream<TcpStream> {
|
||||||
fn as_poll_fd(&self) -> pollfd {
|
fn as_poll_fd(&self) -> pollfd {
|
||||||
self.get_ref().as_socket_descriptor().as_poll_fd()
|
self.get_ref().as_socket_descriptor().as_poll_fd()
|
||||||
|
Loading…
Reference in New Issue
Block a user