http_private: get tls working

2026-03-31 17:55:36 +00:00 · 2022-04-03 19:07:55 +02:00 · 2022-04-03 19:07:55 +02:00 · c21ed97cb2
commit c21ed97cb2
parent e790727bc0
5 changed files with 211 additions and 9 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -83,6 +83,8 @@ dependencies = [
 "log",
 "privdrop",
 "rand",
+ "rustls 0.20.4",
+ "rustls-pemfile",
 "serde",
 ]

@ -150,14 +152,18 @@ dependencies = [
 "aquatic_toml_config",
 "axum",
 "dotenv",
+ "futures-util",
 "hex",
+ "hyper",
 "log",
 "mimalloc",
 "rand",
+ "rustls 0.20.4",
 "serde",
 "socket2 0.4.4",
 "sqlx",
 "tokio",
+ "tokio-rustls 0.23.3",
 ]

 [[package]]
@ -2619,7 +2625,7 @@ checksum = "b555e70fbbf84e269ec3858b7a6515bcfe7a166a7cc9c636dd6efd20431678b6"
 dependencies = [
 "once_cell",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.22.0",
 ]

 [[package]]
@ -2797,6 +2803,17 @@ dependencies = [
 "webpki 0.21.4",
 ]

+[[package]]
+name = "tokio-rustls"
+version = "0.23.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4151fda0cf2798550ad0b34bcfc9b9dcc2a9d2471c895c68f3a8818e54f2389e"
+dependencies = [
+ "rustls 0.20.4",
+ "tokio",
+ "webpki 0.22.0",
+]
+
 [[package]]
 name = "tokio-stream"
 version = "0.1.8"
--- a/aquatic_http_private/Cargo.toml
+++ b/aquatic_http_private/Cargo.toml
@ -11,19 +11,22 @@ name = "aquatic_http_private"

 [dependencies]
 aquatic_cli_helpers = "0.2.0"
-aquatic_common = "0.2.0"
+aquatic_common = { version = "0.2.0", features = ["rustls-config"] }
 aquatic_http_protocol = "0.2.0"
 aquatic_toml_config = "0.2.0"

 anyhow = "1"
 axum = { version = "0.5", default-features = false, features = ["headers", "http1", "matched-path", "original-uri"] }
 dotenv = "0.15"
+futures-util = { version = "0.3", default-features = false }
 hex = "0.4"
+hyper = "0.14"
 log = "0.4"
 mimalloc = { version = "0.1", default-features = false }
 rand = { version = "0.8", features = ["small_rng"] }
+rustls = "0.20"
 serde = { version = "1", features = ["derive"] }
 socket2 = { version = "0.4", features = ["all"] }
 sqlx = { version = "0.5", features = [ "runtime-tokio-rustls" , "mysql" ] }
 tokio = { version = "1", features = ["full"] }
-
+tokio-rustls = "0.23"
--- a/aquatic_http_private/src/lib.rs
+++ b/aquatic_http_private/src/lib.rs
@ -2,18 +2,26 @@ mod common;
 pub mod config;
 mod workers;

-use std::collections::VecDeque;
+use std::{collections::VecDeque, sync::Arc};

+use aquatic_common::rustls_config::create_rustls_config;
 use common::ChannelRequestSender;
 use dotenv::dotenv;
 use tokio::sync::mpsc::channel;

+use config::Config;
+
 pub const APP_NAME: &str = "aquatic_http_private: private HTTP/TLS BitTorrent tracker";
 pub const APP_VERSION: &str = env!("CARGO_PKG_VERSION");

-pub fn run(config: config::Config) -> anyhow::Result<()> {
+pub fn run(config: Config) -> anyhow::Result<()> {
    dotenv().ok();

+    let tls_config = Arc::new(create_rustls_config(
+        &config.network.tls_certificate_path,
+        &config.network.tls_private_key_path,
+    )?);
+
    let mut request_senders = Vec::new();
    let mut request_receivers = VecDeque::new();

@ -28,11 +36,14 @@ pub fn run(config: config::Config) -> anyhow::Result<()> {

    for _ in 0..config.socket_workers {
        let config = config.clone();
+        let tls_config = tls_config.clone();
        let request_sender = ChannelRequestSender::new(request_senders.clone());

        let handle = ::std::thread::Builder::new()
            .name("socket".into())
-            .spawn(move || workers::socket::run_socket_worker(config, request_sender))?;
+            .spawn(move || {
+                workers::socket::run_socket_worker(config, tls_config, request_sender)
+            })?;

        handles.push(handle);
    }
--- a/aquatic_http_private/src/workers/socket/mod.rs
+++ b/aquatic_http_private/src/workers/socket/mod.rs
@ -1,5 +1,6 @@
 pub mod db;
 mod routes;
+mod tls;

 use std::{
    net::{SocketAddr, TcpListener},
@ -7,13 +8,23 @@ use std::{
 };

 use anyhow::Context;
-use axum::{routing::get, Extension, Router};
+use aquatic_common::rustls_config::RustlsConfig;
+use axum::{extract::connect_info::Connected, routing::get, Extension, Router};
+use hyper::server::conn::AddrIncoming;
 use sqlx::mysql::MySqlPoolOptions;

+use self::tls::{TlsAcceptor, TlsStream};
 use crate::{common::ChannelRequestSender, config::Config};

+impl<'a> Connected<&'a tls::TlsStream> for SocketAddr {
+    fn connect_info(target: &'a TlsStream) -> Self {
+        target.get_remote_addr()
+    }
+}
+
 pub fn run_socket_worker(
    config: Config,
+    tls_config: Arc<RustlsConfig>,
    request_sender: ChannelRequestSender,
 ) -> anyhow::Result<()> {
    let tcp_listener = create_tcp_listener(config.network.address)?;
@ -22,19 +33,25 @@ pub fn run_socket_worker(
        .enable_all()
        .build()?;

-    runtime.block_on(run_app(config, tcp_listener, request_sender))?;
+    runtime.block_on(run_app(config, tls_config, tcp_listener, request_sender))?;

    Ok(())
 }

 async fn run_app(
    config: Config,
+    tls_config: Arc<RustlsConfig>,
    tcp_listener: TcpListener,
    request_sender: ChannelRequestSender,
 ) -> anyhow::Result<()> {
    let db_url =
        ::std::env::var("DATABASE_URL").with_context(|| "Retrieve env var DATABASE_URL")?;

+    let tls_acceptor = TlsAcceptor::new(
+        tls_config,
+        AddrIncoming::from_listener(tokio::net::TcpListener::from_std(tcp_listener)?)?,
+    );
+
    let pool = MySqlPoolOptions::new()
        .max_connections(5)
        .connect(&db_url)
@ -46,7 +63,7 @@ async fn run_app(
        .layer(Extension(pool))
        .layer(Extension(Arc::new(request_sender)));

-    axum::Server::from_tcp(tcp_listener)?
+    axum::Server::builder(tls_acceptor)
        .http1_keepalive(false)
        .serve(app.into_make_service_with_connect_info::<SocketAddr>())
        .await?;
@ -66,6 +83,9 @@ fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result<TcpListener> {
    socket
        .set_reuse_port(true)
        .with_context(|| "set_reuse_port")?;
+    socket
+        .set_nonblocking(true)
+        .with_context(|| "set_nonblocking")?;
    socket
        .bind(&addr.into())
        .with_context(|| format!("bind to {}", addr))?;
--- a/aquatic_http_private/src/workers/socket/tls.rs
+++ b/aquatic_http_private/src/workers/socket/tls.rs
@ -0,0 +1,151 @@
+//! hyper/rustls integration
+//!
+//! hyper will automatically use HTTP/2 if a client starts talking HTTP/2,
+//! otherwise HTTP/1.1 will be used.
+//!
+//! Based on https://github.com/rustls/hyper-rustls/blob/9b7b1220f74de9b249ce2b8f8b922fd00074c53b/examples/server.rs
+
+// ISC License (ISC)
+// Copyright (c) 2016, Joseph Birr-Pixton <jpixton@gmail.com>
+//
+// Permission to use, copy, modify, and/or distribute this software for
+// any purpose with or without fee is hereby granted, provided that the
+// above copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
+// WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+// WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
+// AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+// DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+// PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+// ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+// THIS SOFTWARE.
+
+use core::task::{Context, Poll};
+use futures_util::ready;
+use hyper::server::accept::Accept;
+use hyper::server::conn::{AddrIncoming, AddrStream};
+use std::future::Future;
+use std::io;
+use std::net::SocketAddr;
+use std::pin::Pin;
+use std::sync::Arc;
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+use tokio_rustls::rustls::ServerConfig;
+
+enum State {
+    Handshaking(tokio_rustls::Accept<AddrStream>, SocketAddr),
+    Streaming(tokio_rustls::server::TlsStream<AddrStream>),
+}
+
+// tokio_rustls::server::TlsStream doesn't expose constructor methods,
+// so we have to TlsAcceptor::accept and handshake to have access to it
+// TlsStream implements AsyncRead/AsyncWrite handshaking tokio_rustls::Accept first
+pub struct TlsStream {
+    state: State,
+}
+
+impl TlsStream {
+    fn new(stream: AddrStream, config: Arc<ServerConfig>) -> TlsStream {
+        let remote_addr = stream.remote_addr();
+        let accept = tokio_rustls::TlsAcceptor::from(config).accept(stream);
+
+        TlsStream {
+            state: State::Handshaking(accept, remote_addr),
+        }
+    }
+
+    pub fn get_remote_addr(&self) -> SocketAddr {
+        match &self.state {
+            State::Handshaking(_, remote_addr) => *remote_addr,
+            State::Streaming(stream) => stream.get_ref().0.remote_addr(),
+        }
+    }
+}
+
+impl AsyncRead for TlsStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context,
+        buf: &mut ReadBuf,
+    ) -> Poll<io::Result<()>> {
+        let pin = self.get_mut();
+        match pin.state {
+            State::Handshaking(ref mut accept, ref mut socket_addr) => {
+                match ready!(Pin::new(accept).poll(cx)) {
+                    Ok(mut stream) => {
+                        *socket_addr = stream.get_ref().0.remote_addr();
+                        let result = Pin::new(&mut stream).poll_read(cx, buf);
+                        pin.state = State::Streaming(stream);
+                        result
+                    }
+                    Err(err) => Poll::Ready(Err(err)),
+                }
+            }
+            State::Streaming(ref mut stream) => Pin::new(stream).poll_read(cx, buf),
+        }
+    }
+}
+
+impl AsyncWrite for TlsStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<io::Result<usize>> {
+        let pin = self.get_mut();
+        match pin.state {
+            State::Handshaking(ref mut accept, _) => match ready!(Pin::new(accept).poll(cx)) {
+                Ok(mut stream) => {
+                    let result = Pin::new(&mut stream).poll_write(cx, buf);
+                    pin.state = State::Streaming(stream);
+                    result
+                }
+                Err(err) => Poll::Ready(Err(err)),
+            },
+            State::Streaming(ref mut stream) => Pin::new(stream).poll_write(cx, buf),
+        }
+    }
+
+    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        match self.state {
+            State::Handshaking(_, _) => Poll::Ready(Ok(())),
+            State::Streaming(ref mut stream) => Pin::new(stream).poll_flush(cx),
+        }
+    }
+
+    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {
+        match self.state {
+            State::Handshaking(_, _) => Poll::Ready(Ok(())),
+            State::Streaming(ref mut stream) => Pin::new(stream).poll_shutdown(cx),
+        }
+    }
+}
+
+pub struct TlsAcceptor {
+    config: Arc<ServerConfig>,
+    incoming: AddrIncoming,
+}
+
+impl TlsAcceptor {
+    pub fn new(config: Arc<ServerConfig>, incoming: AddrIncoming) -> TlsAcceptor {
+        TlsAcceptor { config, incoming }
+    }
+}
+
+impl Accept for TlsAcceptor {
+    type Conn = TlsStream;
+    type Error = io::Error;
+
+    fn poll_accept(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+    ) -> Poll<Option<Result<Self::Conn, Self::Error>>> {
+        let pin = self.get_mut();
+        match ready!(Pin::new(&mut pin.incoming).poll_accept(cx)) {
+            Some(Ok(sock)) => Poll::Ready(Some(Ok(TlsStream::new(sock, pin.config.clone())))),
+            Some(Err(e)) => Poll::Ready(Some(Err(e))),
+            None => Poll::Ready(None),
+        }
+    }
+}