Skip to content

Commit

Permalink
Remove openssl, use rustls and rand instead (#431)
Browse files Browse the repository at this point in the history
This PR removes the dependency on `openssl`, which is not compatible
with the `wasm32-unknown-unknown` target, completely. It is replaced by
`rustls` for TLS/SSL and `rand` for cryptographically safe pseudo-RNG.
  • Loading branch information
bitfl0wer authored Nov 12, 2023
2 parents cb82604 + 57a83bd commit 1c3a125
Show file tree
Hide file tree
Showing 4 changed files with 120 additions and 15 deletions.
102 changes: 94 additions & 8 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 7 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,12 @@ chrono = { version = "0.4.26", features = ["serde"] }
regex = "1.9.4"
custom_error = "1.9.2"
native-tls = "0.2.11"
tokio-tungstenite = { version = "0.20.0", features = ["native-tls"] }
tokio-tungstenite = { version = "0.20.0", features = [
"rustls-tls-native-roots",
"rustls-native-certs",
] }
futures-util = "0.3.28"
http = "0.2.9"
openssl = "0.10.56"
base64 = "0.21.3"
hostname = "0.3.1"
bitflags = { version = "2.4.0", features = ["serde"] }
Expand All @@ -51,6 +53,9 @@ jsonwebtoken = "8.3.0"
log = "0.4.20"
async-trait = "0.1.73"
chorus-macros = "0.2.0"
rustls = "0.21.8"
rustls-native-certs = "0.6.3"
rand = "0.8.5"

[dev-dependencies]
tokio = { version = "1.32.0", features = ["full"] }
Expand Down
14 changes: 11 additions & 3 deletions src/gateway.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ use futures_util::stream::SplitStream;
use futures_util::SinkExt;
use futures_util::StreamExt;
use log::{info, trace, warn};
use native_tls::TlsConnector;
use tokio::net::TcpStream;
use tokio::sync::mpsc::Sender;
use tokio::sync::Mutex;
Expand Down Expand Up @@ -349,12 +348,21 @@ pub struct Gateway {
impl Gateway {
#[allow(clippy::new_ret_no_self)]
pub async fn new(websocket_url: String) -> Result<GatewayHandle, GatewayError> {
let mut roots = rustls::RootCertStore::empty();
for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
{
roots.add(&rustls::Certificate(cert.0)).unwrap();
}
let (websocket_stream, _) = match connect_async_tls_with_config(
&websocket_url,
None,
false,
Some(Connector::NativeTls(
TlsConnector::builder().build().unwrap(),
Some(Connector::Rustls(
rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(roots)
.with_no_client_auth()
.into(),
)),
)
.await
Expand Down
10 changes: 8 additions & 2 deletions src/types/config/types/security_configuration.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use base64::Engine;
use rand::Fill;
use serde::{Deserialize, Serialize};

use crate::types::config::types::subconfigs::security::{
Expand All @@ -22,10 +23,15 @@ pub struct SecurityConfiguration {

impl Default for SecurityConfiguration {
fn default() -> Self {
let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
let mut req_sig: [u8; 32] = [0; 32];
let _ = openssl::rand::rand_bytes(&mut req_sig);
let mut jwt_secret: [u8; 256] = [0; 256];
let _ = openssl::rand::rand_bytes(&mut jwt_secret);
req_sig
.try_fill(&mut rng)
.expect("Unable to generate cryptographically safe secrets.");
jwt_secret
.try_fill(&mut rng)
.expect("Unable to generate cryptographically safe secrets.");
Self {
captcha: Default::default(),
two_factor: Default::default(),
Expand Down

0 comments on commit 1c3a125

Please sign in to comment.