warp-openssl 0.6.0

OpenSSL bindings for Warp TLS server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

use std::{
    io,
    pin::Pin,
    sync::{Arc, Mutex},
    task::{Context, Poll},
};

use openssl::ssl::Ssl;
use tokio::io::{AsyncRead, AsyncWrite};
use tokio::net::TcpStream;
use tokio_openssl::SslStream;

use crate::{certificate::CertificateVerifier, config::SslConfig};

pub(crate) type CloneableStream = Arc<Mutex<SslStream<TcpStream>>>;

enum AcceptState {
    Pending,
    Ready,
}

enum ConnectionState {
    Handshaking,
    Streaming,
}

/// Convenience wrapper around `tokio_openssl::SslStream` that handles the TLS handshake and
/// certificate validation.
pub(crate) struct TlsStream {
    state: ConnectionState,
    stream: CloneableStream,
    certificate_verifier: Option<Arc<dyn CertificateVerifier>>,
}

impl TlsStream {
    pub(crate) fn new(
        stream: TcpStream,
        ssl_config: &SslConfig,
    ) -> std::result::Result<TlsStream, io::Error> {
        let ssl = Ssl::new(ssl_config.acceptor.context()).map_err(io::Error::from)?;
        let stream = Arc::new(Mutex::new(
            SslStream::new(ssl, stream).map_err(io::Error::from)?,
        ));

        Ok(TlsStream {
            state: ConnectionState::Handshaking,
            stream,
            certificate_verifier: ssl_config.certificate_verifier.clone(),
        })
    }

    pub(crate) fn stream(&self) -> CloneableStream {
        self.stream.clone()
    }

    /// Performs the TLS handshake and sets the state to `Streaming` if successful.
    /// Returns `Ok(AcceptState::Ready)` if the handshake is complete, or `Ok(AcceptState::Pending)`
    /// if the handshake is still in progress.
    ///
    /// If the handshake fails, returns an `io::Error`.
    /// If the handshake succeeds but the certificate verification fails, returns an `io::Error`.
    ///
    fn do_poll_accept(self: &mut Pin<&mut Self>, cx: &mut Context<'_>) -> io::Result<AcceptState> {
        debug_assert!(matches!(self.state, ConnectionState::Handshaking));

        let stream = self.stream();
        let mut stream = stream.lock().expect("Could not lock stream");

        match Pin::new(&mut *stream).poll_accept(cx) {
            Poll::Ready(Ok(_)) => {
                self.state = ConnectionState::Streaming;
                if let Some(certificate_verifier) = self.certificate_verifier.as_ref() {
                    if let Some(cert) = stream.ssl().peer_certificate() {
                        let cert = cert.try_into()?;
                        certificate_verifier
                            .verify_certificate(&cert)
                            .map_err(|err| {
                                tracing::error!(
                                    "Certificate validation failed for certificate: {:?}",
                                    cert
                                );
                                io::Error::other(err)
                            })?
                    }
                }
                Ok(AcceptState::Ready)
            }
            Poll::Ready(Err(e)) => {
                // Log the error in case of cert verification falilure otherwise warp silently ignores this
                tracing::error!("Error in poll_accept: {:?}", e);
                Err(e.into_io_error().unwrap_or_else(io::Error::other))
            }
            Poll::Pending => Ok(AcceptState::Pending),
        }
    }
}

impl AsyncRead for TlsStream {
    fn poll_read(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &mut tokio::io::ReadBuf<'_>,
    ) -> Poll<io::Result<()>> {
        match self.state {
            ConnectionState::Handshaking => match self.do_poll_accept(cx)? {
                AcceptState::Pending => Poll::Pending,
                AcceptState::Ready => self.poll_read(cx, buf),
            },
            ConnectionState::Streaming => {
                let mut stream = self.stream.lock().expect("Could not lock stream");
                Pin::new(&mut *stream).poll_read(cx, buf)
            }
        }
    }
}

impl AsyncWrite for TlsStream {
    fn poll_write(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &[u8],
    ) -> Poll<std::result::Result<usize, io::Error>> {
        match self.state {
            ConnectionState::Handshaking => match self.do_poll_accept(cx)? {
                AcceptState::Pending => Poll::Pending,
                AcceptState::Ready => self.poll_write(cx, buf),
            },
            ConnectionState::Streaming => {
                let mut stream = self.stream.lock().expect("Could not lock stream");
                Pin::new(&mut *stream).poll_write(cx, buf)
            }
        }
    }

    fn poll_flush(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
    ) -> Poll<std::result::Result<(), io::Error>> {
        match self.state {
            ConnectionState::Handshaking => Poll::Ready(Ok(())),
            ConnectionState::Streaming => {
                let mut stream = self.stream.lock().expect("Could not lock stream");
                Pin::new(&mut *stream).poll_flush(cx)
            }
        }
    }

    fn poll_shutdown(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
    ) -> Poll<std::result::Result<(), io::Error>> {
        match self.state {
            ConnectionState::Handshaking => Poll::Ready(Ok(())),
            ConnectionState::Streaming => {
                let mut stream = self.stream.lock().expect("Could not lock stream");
                Pin::new(&mut *stream).poll_shutdown(cx)
            }
        }
    }
}