-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split cryptographic dependencies into a dedicated crate #1307
Conversation
Copy webpki's DNS name types into our dns-name crate so that webpki and ring aren't needed for basic name types.
The `ring`/`rustls`/`webpki` crates provide the cryptographic primitives that we use for the proxy's mTLS functionality. But there's a desire to support other cryptographic implementations (i.e. openssl/boringssl), especially for FIPS 140-2. This change introduces a new crate, `linkerd-tls-rustls`, into which all types that depend on `ring`/`rustls`/`webpki` are moved. Specifically, `Key`, `Crt`, and `CrtKey` are moved from `linkerd-identity` into `rustls`. The `linkerd-tls` crate becomes generic over its TLS implementation by using a `NewService` to build client connectors and a `Service` to terminate server-side TLS connections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks good to me!
type Connection<T, I> = ((tls::ConditionalServerTls, T), tls::server::Io<I>); | ||
type Connection<T, I> = ( | ||
(tls::ConditionalServerTls, T), | ||
io::EitherIo<linkerd_tls_rustls::ServerIo<tls::server::DetectIo<I>>, tls::server::DetectIo<I>>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oof...
pub use linkerd_service_profiles as profiles; | ||
pub use linkerd_stack_metrics as stack_metrics; | ||
pub use linkerd_stack_tracing as stack_tracing; | ||
pub use linkerd_tls as tls; | ||
pub use linkerd_tls_rustls as rustls; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
take it or leave it, but i'm kind of on the fence about reexporting this as rustls
? it seems like it's kind of unclear in downstream code whether imports from this module are library APIs or our code, which could be confusing to future readers?
not a b locker either way though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I expect this to change in a followup
let permit = | ||
allow.check_authorized(client.client_addr, &tls)?; | ||
Ok(svc::Either::A(Local { | ||
addr: Remote(ServerAddr(addr)), | ||
permit, | ||
client_id: client.client_id, | ||
})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it took me a min to realize that this (and some of the other code in this file) was not actually changed, and rustfmt just changed its mind about which line to wrap at or something. :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure why but rustfmt was just ignoring this whole stack before and something changed and now it wants to format it all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wacky!
let server_id = webpki::DNSNameRef::try_from_ascii(client_tls.server_id.as_bytes()) | ||
.expect("identity must be a valid DNS name") | ||
.to_owned(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kind of a bummer we have to do the conversion by-ref and then convert it into a new owned DNSName
, rather than just moving the String
from the dns::Name
if it's valid. but, idk if this is worth trying to change it upstream...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah. we're on a fork of webpki so we could perhaps patch our fork to avoid it... but this will be a small allocation once per connection, so I'm not particularly worried
} | ||
|
||
#[test] | ||
#[ignore] // XXX this doesn't fail because we don't actually check the key against the cert... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should there be an issue for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is just moved from the TLS crate, so it's been a long standing issue. practically, I don't think it's an issue we're likely to hit; and I don't know that we have a path forward to fixing it given the state of things.
This release fixes a bug where the outbound proxy could loop infinitely while handling errors on meshed HTTP/1 connections. This would typically cause proxies to be fail health checks and be restarted. Furthermore, the proxy now requires identity. Proxies will log an error and fail to start if identity is disabled. --- * dns: Avoid allocating in `Name::is_localhost` (linkerd/linkerd2-proxy#1303) * metrics: Implement FmtMetrics for Option (linkerd/linkerd2-proxy#1302) * tracing: simplify subscriber construction with `Box`ed layers (linkerd/linkerd2-proxy#1304) * Require identity configuration (linkerd/linkerd2-proxy#1305) * build(deps): bump thiserror from 1.0.29 to 1.0.30 (linkerd/linkerd2-proxy#1306) * build(deps): bump tower from 0.4.8 to 0.4.9 (linkerd/linkerd2-proxy#1308) * build(deps): bump trust-dns-resolver (linkerd/linkerd2-proxy#1311) * build(deps): bump actions/checkout from 2.3.4 to 2.3.5 (linkerd/linkerd2-proxy#1313) * dns-name: Remove `webpki` dependency (linkerd/linkerd2-proxy#1316) * build(deps): bump libc from 0.2.103 to 0.2.104 (linkerd/linkerd2-proxy#1315) * inbound: Add a box layer to reduce compile times (linkerd/linkerd2-proxy#1317) * Split cryptographic dependencies into a dedicated crate (linkerd/linkerd2-proxy#1307) * Fix an infinite loop when downgrading HTTP/2 errors (linkerd/linkerd2-proxy#1318)
This release fixes a bug where the outbound proxy could loop infinitely while handling errors on meshed HTTP/1 connections. This would typically cause proxies to be fail health checks and be restarted. Furthermore, the proxy now requires identity. Proxies will log an error and fail to start if identity is disabled. --- * dns: Avoid allocating in `Name::is_localhost` (linkerd/linkerd2-proxy#1303) * metrics: Implement FmtMetrics for Option (linkerd/linkerd2-proxy#1302) * tracing: simplify subscriber construction with `Box`ed layers (linkerd/linkerd2-proxy#1304) * Require identity configuration (linkerd/linkerd2-proxy#1305) * build(deps): bump thiserror from 1.0.29 to 1.0.30 (linkerd/linkerd2-proxy#1306) * build(deps): bump tower from 0.4.8 to 0.4.9 (linkerd/linkerd2-proxy#1308) * build(deps): bump trust-dns-resolver (linkerd/linkerd2-proxy#1311) * build(deps): bump actions/checkout from 2.3.4 to 2.3.5 (linkerd/linkerd2-proxy#1313) * dns-name: Remove `webpki` dependency (linkerd/linkerd2-proxy#1316) * build(deps): bump libc from 0.2.103 to 0.2.104 (linkerd/linkerd2-proxy#1315) * inbound: Add a box layer to reduce compile times (linkerd/linkerd2-proxy#1317) * Split cryptographic dependencies into a dedicated crate (linkerd/linkerd2-proxy#1307) * Fix an infinite loop when downgrading HTTP/2 errors (linkerd/linkerd2-proxy#1318)
The
ring
/rustls
/webpki
crates provide the cryptographic primitivesthat we use for the proxy's mTLS functionality. But there's a desire to
support other cryptographic implementations (i.e. openssl/boringssl),
especially for FIPS 140-2.
This change introduces a new crate,
linkerd-tls-rustls
, into which alltypes that depend on
ring
/rustls
/webpki
are moved. Specifically,Key
,Crt
, andCrtKey
are moved fromlinkerd-identity
intorustls
. Thelinkerd-tls
crate becomes generic over its TLSimplementation by using a
NewService
to build client connectors and aService
to terminate server-side TLS connections.The
proxy-identity
crate currently depends on thelinkerd-tls-rustls
crate, as do the various
app
crates. In followup changes, these crateswill be further decoupled from the rustls types.