Remove openssl, use rustls and rand instead

polyphony-chat · Nov 12, 2023 · 57a83bd · 57a83bd
1 parent 6daed47
commit 57a83bd
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 15 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,10 +28,12 @@ chrono = { version = "0.4.26", features = ["serde"] }
 regex = "1.9.4"
 custom_error = "1.9.2"
 native-tls = "0.2.11"
-tokio-tungstenite = { version = "0.20.0", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.20.0", features = [
+    "rustls-tls-native-roots",
+    "rustls-native-certs",
+] }
 futures-util = "0.3.28"
 http = "0.2.9"
-openssl = "0.10.56"
 base64 = "0.21.3"
 hostname = "0.3.1"
 bitflags = { version = "2.4.0", features = ["serde"] }
@@ -51,6 +53,9 @@ jsonwebtoken = "8.3.0"
 log = "0.4.20"
 async-trait = "0.1.73"
 chorus-macros = "0.2.0"
+rustls = "0.21.8"
+rustls-native-certs = "0.6.3"
+rand = "0.8.5"
 
 [dev-dependencies]
 tokio = { version = "1.32.0", features = ["full"] }

diff --git a/src/gateway.rs b/src/gateway.rs
@@ -20,7 +20,6 @@ use futures_util::stream::SplitStream;
 use futures_util::SinkExt;
 use futures_util::StreamExt;
 use log::{info, trace, warn};
-use native_tls::TlsConnector;
 use tokio::net::TcpStream;
 use tokio::sync::mpsc::Sender;
 use tokio::sync::Mutex;
@@ -349,12 +348,21 @@ pub struct Gateway {
 impl Gateway {
     #[allow(clippy::new_ret_no_self)]
     pub async fn new(websocket_url: String) -> Result<GatewayHandle, GatewayError> {
+        let mut roots = rustls::RootCertStore::empty();
+        for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
+        {
+            roots.add(&rustls::Certificate(cert.0)).unwrap();
+        }
         let (websocket_stream, _) = match connect_async_tls_with_config(
             &websocket_url,
             None,
             false,
-            Some(Connector::NativeTls(
-                TlsConnector::builder().build().unwrap(),
+            Some(Connector::Rustls(
+                rustls::ClientConfig::builder()
+                    .with_safe_defaults()
+                    .with_root_certificates(roots)
+                    .with_no_client_auth()
+                    .into(),
             )),
         )
         .await

diff --git a/src/types/config/types/security_configuration.rs b/src/types/config/types/security_configuration.rs
@@ -1,4 +1,5 @@
 use base64::Engine;
+use rand::Fill;
 use serde::{Deserialize, Serialize};
 
 use crate::types::config::types::subconfigs::security::{
@@ -22,10 +23,15 @@ pub struct SecurityConfiguration {
 
 impl Default for SecurityConfiguration {
     fn default() -> Self {
+        let mut rng: rand::rngs::ThreadRng = rand::thread_rng();
         let mut req_sig: [u8; 32] = [0; 32];
-        let _ = openssl::rand::rand_bytes(&mut req_sig);
         let mut jwt_secret: [u8; 256] = [0; 256];
-        let _ = openssl::rand::rand_bytes(&mut jwt_secret);
+        req_sig
+            .try_fill(&mut rng)
+            .expect("Unable to generate cryptographically safe secrets.");
+        jwt_secret
+            .try_fill(&mut rng)
+            .expect("Unable to generate cryptographically safe secrets.");
         Self {
             captcha: Default::default(),
             two_factor: Default::default(),