Merge pull request #320 from oldgalileo/main

Switch tokio-native-tls -> tokio-rustls
squidowl · Apr 4, 2024 · cc8e287 · cc8e287
2 parents 6827046 + 2d7d21f
commit cc8e287
Show file tree

Hide file tree

Showing 7 changed files with 269 additions and 36 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ Fixed:
 
 - Accept '@' in usernames to support bouncers that use the user@identifier/network convention
 - Prevent rare scenario where broadcast messages' timestamp would not match time the messages are received
+- Fix SASL on macos by using RUSTLS backend
 
 Changed:
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/data/src/config/server.rs b/data/src/config/server.rs
@@ -164,8 +164,8 @@ impl Sasl {
     }
 
     fn external_key(&self) -> Option<&PathBuf> {
-        if let Self::External { cert, key, .. } = self {
-            Some(key.as_ref().unwrap_or(cert))
+        if let Self::External { key, .. } = self {
+            key.as_ref()
         } else {
             None
         }

diff --git a/data/src/server.rs b/data/src/server.rs
@@ -72,14 +72,22 @@ impl Map {
             }
             if let Some(sasl) = &mut config.sasl {
                 match sasl {
-                    Sasl::Plain { password: password @ None, password_file: Some(pass_file), .. } => {
+                    Sasl::Plain {
+                        password: Some(_),
+                        password_file: Some(_),
+                        ..
+                    } => {
+                        return Err(Error::Parse("Exactly one of sasl.plain.password or sasl.plain.password_file must be set.".to_string()));
+                    }
+                    Sasl::Plain {
+                        password: password @ None,
+                        password_file: Some(pass_file),
+                        ..
+                    } => {
                         let pass = fs::read_to_string(pass_file)?;
                         *password = Some(pass);
-                    },
-                    Sasl::Plain { password: Some(_), password_file: None, .. } => {},
-                    _ => {
-                        return Err(Error::Parse("Exactly one of sasl.plain.password or sasl.plain.password_file must be set.".to_string()));
                     }
+                    _ => {}
                 }
             }
         }

diff --git a/irc/Cargo.toml b/irc/Cargo.toml
@@ -9,8 +9,10 @@ bytes = "1.4.0"
 futures = "0.3.28"
 thiserror = "1.0.30"
 tokio = { version = "1.29", features = ["net", "full"] }
-tokio-native-tls = "0.3.1"
+tokio-rustls = { version = "0.26.0", default-features = false, features = ["tls12", "ring"] }
 tokio-util = { version = "0.7", features = ["codec"] }
+rustls-native-certs = "0.7.0"
+rustls-pemfile = "2.1.1"
 
 [dependencies.proto]
 path = "proto"

diff --git a/irc/src/connection.rs b/irc/src/connection.rs
@@ -1,14 +1,14 @@
-use std::io;
 use std::net::IpAddr;
 use std::path::PathBuf;
 
 use futures::{Sink, SinkExt, Stream, StreamExt};
-use tokio::fs;
 use tokio::io::AsyncWriteExt;
 use tokio::net::{TcpListener, TcpStream};
-use tokio_native_tls::native_tls::{Certificate, Identity};
-use tokio_native_tls::{native_tls, TlsConnector, TlsStream};
-use tokio_util::codec::{self, Framed};
+use tokio_rustls::client::TlsStream;
+use tokio_util::codec;
+use tokio_util::codec::Framed;
+
+mod tls;
 
 pub enum Connection<Codec> {
     Tls(Framed<TlsStream<TcpStream>, Codec>),
@@ -44,25 +44,15 @@ impl<Codec> Connection<Codec> {
             client_key_path,
         } = config.security
         {
-            let mut builder = native_tls::TlsConnector::builder();
-            builder.danger_accept_invalid_certs(accept_invalid_certs);
-
-            if let Some(path) = root_cert_path {
-                let bytes = fs::read(path).await?;
-                let cert = Certificate::from_pem(&bytes)?;
-                builder.add_root_certificate(cert);
-            }
-
-            if let (Some(cert_path), Some(pkcs8_key_path)) = (client_cert_path, client_key_path) {
-                let cert_bytes = fs::read(cert_path).await?;
-                let pkcs8_key_bytes = fs::read(pkcs8_key_path).await?;
-                let identity = Identity::from_pkcs8(&cert_bytes, &pkcs8_key_bytes)?;
-                builder.identity(identity);
-            }
-
-            let tls = TlsConnector::from(builder.build()?)
-                .connect(config.server, tcp)
-                .await?;
+            let tls = tls::connect(
+                tcp,
+                config.server,
+                accept_invalid_certs,
+                root_cert_path,
+                client_cert_path,
+                client_key_path,
+            )
+            .await?;
 
             Ok(Self::Tls(Framed::new(tls, codec)))
         } else {
@@ -106,9 +96,9 @@ impl<Codec> Connection<Codec> {
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("tls error: {0}")]
-    Tls(#[from] tokio_native_tls::native_tls::Error),
+    Tls(#[from] tls::Error),
     #[error("io error: {0}")]
-    Io(#[from] io::Error),
+    Io(#[from] std::io::Error),
 }
 
 macro_rules! delegate {