1
1
mirror of https://github.com/wez/wezterm.git synced 2024-12-24 22:01:47 +03:00

tls: revisit cargo features

This commit adjusts the features in Cargo.toml to allow building
without openssl on unix systems.

It teaches the native_tls flavor of the code to perform bootstrapping
via ssh, but is still not usable because there still isn't a way
to get native_tls to use PEM files.
This commit is contained in:
Wez Furlong 2020-02-02 08:50:17 -08:00
parent 9b02089849
commit 274d22edda
6 changed files with 62 additions and 19 deletions

View File

@ -42,6 +42,7 @@ open = "1.2"
metrics = { version="0.12", features=["std"]} metrics = { version="0.12", features=["std"]}
hdrhistogram = "6.3" hdrhistogram = "6.3"
native-tls = "0.2" native-tls = "0.2"
openssl = {version="0.10", optional=true}
# file change notification # file change notification
notify = "4.0" notify = "4.0"
palette = "0.5" palette = "0.5"
@ -98,15 +99,17 @@ winrt-notification = "0.2"
[target.'cfg(any(target_os = "android", all(unix, not(target_os = "macos"))))'.dependencies] [target.'cfg(any(target_os = "android", all(unix, not(target_os = "macos"))))'.dependencies]
fontconfig = { path = "deps/fontconfig" } fontconfig = { path = "deps/fontconfig" }
[target.'cfg(all(unix, not(target_os = "macos")))'.dependencies]
openssl = "0.10"
[target.'cfg(target_os = "macos")'.dependencies] [target.'cfg(target_os = "macos")'.dependencies]
openssl = { version = "0.10", features = ["vendored"] }
core-foundation = "0.7" core-foundation = "0.7"
core-graphics = "0.19" core-graphics = "0.19"
core-text = "15.0" core-text = "15.0"
[features]
default = ["enable_openssl", "vendor_openssl"]
enable_openssl = ["openssl"]
# FIXME: find a way to magically enable vendor_openssl only on macOS!
vendor_openssl = ["openssl/vendored"]
[workspace] [workspace]
[profile.release] [profile.release]

View File

@ -448,7 +448,7 @@ impl Reconnectable {
Ok(()) Ok(())
} }
#[cfg(any(feature = "openssl", unix))] #[cfg(feature = "enable_openssl")]
pub fn tls_connect( pub fn tls_connect(
&mut self, &mut self,
tls_client: TlsDomainClient, tls_client: TlsDomainClient,
@ -591,7 +591,7 @@ impl Reconnectable {
Ok(()) Ok(())
} }
#[cfg(not(any(feature = "openssl", unix)))] #[cfg(not(feature = "enable_openssl"))]
pub fn tls_connect( pub fn tls_connect(
&mut self, &mut self,
tls_client: TlsDomainClient, tls_client: TlsDomainClient,
@ -611,13 +611,49 @@ impl Reconnectable {
) )
})?; })?;
if let Some(Ok(ssh_params)) = tls_client.ssh_parameters() {
if self.tls_creds.is_none() {
// We need to bootstrap via an ssh session
let sess =
ssh_connect_with_ui(&ssh_params.host_and_port, &ssh_params.username, ui)?;
let mut chan = sess.channel_session()?;
// The `tlscreds` command will start the server if needed and then
// obtain client credentials that we can use for tls.
let cmd = format!("{} cli tlscreds", Self::wezterm_bin_path());
ui.output_str(&format!("Running: {}\n", cmd));
chan.exec(&cmd)?;
let creds = match Pdu::decode(chan)?.pdu {
Pdu::GetTlsCredsResponse(creds) => creds,
_ => bail!("unexpected response to tlscreds"),
};
// Save the credentials to disk, as that is currently the easiest
// way to get them into the tls impl. Ideally we'd keep these entirely
// in memory.
std::fs::write(&self.tls_creds_ca_path()?, creds.ca_cert_pem.as_bytes())?;
std::fs::write(
&self.tls_creds_cert_path()?,
creds.client_cert_pem.as_bytes(),
)?;
self.tls_creds.replace(creds);
}
}
let cert_file = match tls_client.pem_cert.clone() {
Some(cert) => cert,
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
None => bail!("no pem_cert configured"),
};
let key_file = match tls_client.pem_private_key.clone() {
Some(key) => key,
None if self.tls_creds.is_some() => self.tls_creds_cert_path()?,
None => bail!("no pem_private_key configured"),
};
let identity = IdentitySource::PemFiles { let identity = IdentitySource::PemFiles {
key: tls_client key: key_file.into(),
.pem_private_key cert: Some(cert_file),
.as_ref()
.ok_or_else(|| anyhow!("missing pem_private_key config value"))?
.into(),
cert: tls_client.pem_cert.clone(),
chain: tls_client.pem_ca.clone(), chain: tls_client.pem_ca.clone(),
}; };

View File

@ -20,9 +20,9 @@ lazy_static::lazy_static! {
static ref PKI: pki::Pki = pki::Pki::init().expect("failed to initialize PKI"); static ref PKI: pki::Pki = pki::Pki::init().expect("failed to initialize PKI");
} }
#[cfg(not(any(feature = "openssl", unix)))] #[cfg(not(feature = "enable_openssl"))]
use not_ossl as tls_impl; use not_ossl as tls_impl;
#[cfg(any(feature = "openssl", unix))] #[cfg(feature = "enable_openssl")]
use ossl as tls_impl; use ossl as tls_impl;
#[derive(Debug)] #[derive(Debug)]

View File

@ -1,4 +1,5 @@
#![cfg(not(any(feature = "openssl", unix)))] #![allow(unused)]
use super::*; use super::*;
use native_tls::TlsAcceptor; use native_tls::TlsAcceptor;
use std::convert::TryInto; use std::convert::TryInto;
@ -72,5 +73,8 @@ pub fn pem_files_to_identity(
_cert: Option<PathBuf>, _cert: Option<PathBuf>,
_chain: Option<PathBuf>, _chain: Option<PathBuf>,
) -> anyhow::Result<Identity> { ) -> anyhow::Result<Identity> {
bail!("recompile wezterm using --features openssl") // This is a pain point in native_tls.
// Once https://github.com/sfackler/rust-native-tls/pull/147
// is done this might be doable in terms of pem files
bail!("recompile wezterm using --features enable_openssl")
} }

View File

@ -1,4 +1,4 @@
#![cfg(any(feature = "openssl", unix))] #![cfg(feature = "enable_openssl")]
use super::*; use super::*;
use openssl::pkcs12::Pkcs12; use openssl::pkcs12::Pkcs12;
use openssl::pkey::PKey; use openssl::pkey::PKey;

View File

@ -30,7 +30,7 @@ impl ReadAndWrite for native_tls::TlsStream<std::net::TcpStream> {
} }
} }
#[cfg(any(feature = "openssl", unix))] #[cfg(feature = "enable_openssl")]
impl ReadAndWrite for openssl::ssl::SslStream<std::net::TcpStream> { impl ReadAndWrite for openssl::ssl::SslStream<std::net::TcpStream> {
fn set_non_blocking(&self, non_blocking: bool) -> anyhow::Result<()> { fn set_non_blocking(&self, non_blocking: bool) -> anyhow::Result<()> {
self.get_ref().set_nonblocking(non_blocking)?; self.get_ref().set_nonblocking(non_blocking)?;
@ -134,7 +134,7 @@ impl AsPollFd for native_tls::TlsStream<TcpStream> {
} }
} }
#[cfg(any(feature = "openssl", unix))] #[cfg(feature = "enable_openssl")]
impl AsPollFd for openssl::ssl::SslStream<TcpStream> { impl AsPollFd for openssl::ssl::SslStream<TcpStream> {
fn as_poll_fd(&self) -> pollfd { fn as_poll_fd(&self) -> pollfd {
self.get_ref().as_socket_descriptor().as_poll_fd() self.get_ref().as_socket_descriptor().as_poll_fd()