Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split cryptographic dependencies into a dedicated crate #1307

Merged
merged 34 commits into from
Oct 18, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
bc679c1
wip
olix0r Oct 8, 2021
97f4f21
Merge branch 'main' into ver/tls-connect-generic
olix0r Oct 8, 2021
9baee40
Decouple TLS client from rustls
olix0r Oct 10, 2021
075ce6d
wip:server
olix0r Oct 10, 2021
e6b36c0
factor out server TLS as well
olix0r Oct 10, 2021
77345e5
Split rustls into its own module
olix0r Oct 10, 2021
3ae896e
fix client ALPN
olix0r Oct 12, 2021
7926c08
-needless checks
olix0r Oct 16, 2021
ae94c6a
Drop rustls dependency from io
olix0r Oct 16, 2021
54d40d7
Implement deref for ID types
olix0r Oct 16, 2021
960ad0d
semicolon
olix0r Oct 16, 2021
3ef9c5c
move credential types to rustls crate
olix0r Oct 16, 2021
003bf42
Move identity::TokenSource to proxy::identity
olix0r Oct 16, 2021
f53671a
Remove webpki/ring from dns::Name
olix0r Oct 16, 2021
117dced
Remove webpki from linkerd-tls
olix0r Oct 16, 2021
a333817
Merge branch 'main' into ver/tls-rustls-split
olix0r Oct 17, 2021
058cda3
back out unnecessary change
olix0r Oct 17, 2021
aea2d5c
fixup type alias
olix0r Oct 17, 2021
f5e8c64
drop unused patch
olix0r Oct 17, 2021
05c2be8
restore comments
olix0r Oct 17, 2021
4c1f719
needless change
olix0r Oct 17, 2021
c28a124
Move Csr to proxy-identity
olix0r Oct 17, 2021
5b91cb7
Split cryptographic dependencies into a dedicated crate
olix0r Oct 17, 2021
dd198fe
unused code
olix0r Oct 17, 2021
94dd975
Revert "unused code"
olix0r Oct 17, 2021
9efd9c8
fix feature flagging on TrustAnchors::empty
olix0r Oct 17, 2021
491e0ba
fixups for nightly
olix0r Oct 17, 2021
efa8420
fix feature flagging for inbound fuzzer
olix0r Oct 17, 2021
e18578b
Merge branch 'main' into ver/tls-rustls-split
olix0r Oct 18, 2021
b5cf662
drop unneeded deps
olix0r Oct 18, 2021
8d7d70b
drop unneeded deps
olix0r Oct 18, 2021
ffb8c09
tidy imports
olix0r Oct 18, 2021
4335c43
publish = false
olix0r Oct 18, 2021
bb3d11d
inline
olix0r Oct 18, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 20 additions & 8 deletions Cargo.lock
Original file line number Diff line number Diff line change
Expand Up @@ -689,6 +689,7 @@ dependencies = [
"linkerd-stack-tracing",
"linkerd-system",
"linkerd-tls",
"linkerd-tls-rustls",
"linkerd-trace-context",
"linkerd-tracing",
"linkerd-transport-header",
Expand Down Expand Up @@ -991,12 +992,6 @@ name = "linkerd-identity"
version = "0.1.0"
dependencies = [
"linkerd-dns-name",
"ring",
"thiserror",
"tokio-rustls",
"tracing",
"untrusted",
"webpki",
]

[[package]]
Expand All @@ -1009,7 +1004,6 @@ dependencies = [
"linkerd-errno",
"pin-project",
"tokio",
"tokio-rustls",
"tokio-test",
"tokio-util",
]
Expand Down Expand Up @@ -1152,6 +1146,7 @@ dependencies = [
"linkerd-metrics",
"linkerd-stack",
"linkerd-tls",
"linkerd-tls-rustls",
"linkerd2-proxy-api",
"pin-project",
"thiserror",
Expand Down Expand Up @@ -1189,6 +1184,7 @@ dependencies = [
"linkerd-proxy-transport",
"linkerd-stack",
"linkerd-tls",
"linkerd-tls-rustls",
"linkerd2-proxy-api",
"parking_lot",
"pin-project",
Expand Down Expand Up @@ -1364,13 +1360,29 @@ dependencies = [
"linkerd-io",
"linkerd-proxy-transport",
"linkerd-stack",
"linkerd-tls-rustls",
"linkerd-tracing",
"pin-project",
"thiserror",
"tokio",
"tokio-rustls",
"tower",
"tracing",
"untrusted",
]

[[package]]
name = "linkerd-tls-rustls"
version = "0.1.0"
dependencies = [
"futures",
"linkerd-identity",
"linkerd-io",
"linkerd-stack",
"linkerd-tls",
"ring",
"thiserror",
"tokio-rustls",
"tracing",
"webpki",
]

Expand Down
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ members = [
"linkerd/system",
"linkerd/tonic-watch",
"linkerd/tls",
"linkerd/tls/rustls",
"linkerd/tracing",
"linkerd/transport-header",
"linkerd/transport-metrics",
Expand Down
3 changes: 2 additions & 1 deletion linkerd/app/admin/src/stack.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@ use linkerd_app_core::{
classify,
config::ServerConfig,
detect, drain, errors,
identity::LocalCrtKey,
metrics::{self, FmtMetrics},
proxy::{http, identity::LocalCrtKey},
proxy::http,
serve,
svc::{self, ExtractParam, InsertParam, Param},
tls, trace,
Expand Down
1 change: 1 addition & 0 deletions linkerd/app/core/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ linkerd-tracing = { path = "../../tracing" }
linkerd-transport-header = { path = "../../transport-header" }
linkerd-transport-metrics = { path = "../../transport-metrics" }
linkerd-tls = { path = "../../tls" }
linkerd-tls-rustls = { path = "../../tls/rustls" }
linkerd-trace-context = { path = "../../trace-context" }
regex = "1.5.4"
serde_json = "1"
Expand Down
3 changes: 2 additions & 1 deletion linkerd/app/core/src/control.rs
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ impl Config {
> + Clone,
>
where
L: Clone + svc::Param<tls::client::Config> + Send + Sync + 'static,
L: svc::NewService<tls::ClientTls, Service = linkerd_tls_rustls::Connect>,
L: Clone + Send + Sync + 'static,
{
let addr = self.addr;

Expand Down
5 changes: 3 additions & 2 deletions linkerd/app/core/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,14 @@ pub use linkerd_dns;
pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
pub use linkerd_exp_backoff as exp_backoff;
pub use linkerd_http_metrics as http_metrics;
pub use linkerd_identity as identity;
pub use linkerd_io as io;
pub use linkerd_opencensus as opencensus;
pub use linkerd_proxy_identity as identity;
pub use linkerd_service_profiles as profiles;
pub use linkerd_stack_metrics as stack_metrics;
pub use linkerd_stack_tracing as stack_tracing;
pub use linkerd_tls as tls;
pub use linkerd_tls_rustls as rustls;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

take it or leave it, but i'm kind of on the fence about reexporting this as rustls? it seems like it's kind of unclear in downstream code whether imports from this module are library APIs or our code, which could be confusing to future readers?

not a b locker either way though.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect this to change in a followup

pub use linkerd_tracing as trace;
pub use linkerd_transport_header as transport_header;

Expand Down Expand Up @@ -56,7 +57,7 @@ const DEFAULT_PORT: u16 = 80;

#[derive(Clone, Debug)]
pub struct ProxyRuntime {
pub identity: proxy::identity::LocalCrtKey,
pub identity: identity::LocalCrtKey,
pub metrics: metrics::Proxy,
pub tap: proxy::tap::Registry,
pub span_sink: http_tracing::OpenCensusSink,
Expand Down
1 change: 0 additions & 1 deletion linkerd/app/core/src/proxy/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ pub use linkerd_proxy_core as core;
pub use linkerd_proxy_discover as discover;
pub use linkerd_proxy_dns_resolve as dns_resolve;
pub use linkerd_proxy_http as http;
pub use linkerd_proxy_identity as identity;
pub use linkerd_proxy_resolve as resolve;
pub use linkerd_proxy_tap as tap;
pub use linkerd_proxy_tcp as tcp;
4 changes: 2 additions & 2 deletions linkerd/app/inbound/fuzz/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,15 @@ cargo-fuzz = true

[target.'cfg(fuzzing)'.dependencies]
arbitrary = { version = "1", features = ["derive"] }
libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
tokio = { version = "1", features = ["full"] }
hyper = { version = "0.14.9", features = ["http1", "http2"] }
http = "0.2"
libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
linkerd-app-core = { path = "../../core" }
linkerd-app-inbound = { path = ".." }
linkerd-app-test = { path = "../../test" }
linkerd-proxy-identity = { path = "../../../proxy/identity", features = ["test-util"] }
linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
tokio = { version = "1", features = ["full"] }
tracing = "0.1"

# Prevent this from interfering with workspaces
Expand Down
24 changes: 14 additions & 10 deletions linkerd/app/inbound/src/detect.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ use crate::{
};
use linkerd_app_core::{
detect, identity, io,
proxy::{http, identity::LocalCrtKey},
svc, tls,
proxy::http,
rustls, svc, tls,
transport::{
self,
addrs::{ClientAddr, OrigDstAddr, Remote},
Expand Down Expand Up @@ -50,9 +50,11 @@ struct ConfigureHttpDetect;
#[derive(Clone)]
struct TlsParams {
timeout: tls::server::Timeout,
identity: LocalCrtKey,
identity: identity::LocalCrtKey,
}

type TlsIo<I> = tls::server::Io<rustls::ServerIo<tls::server::DetectIo<I>>, I>;

// === impl Inbound ===

impl<N> Inbound<N> {
Expand Down Expand Up @@ -92,7 +94,7 @@ impl<N> Inbound<N> {
I: Debug + Send + Sync + Unpin + 'static,
N: svc::NewService<Tls, Service = NSvc>,
N: Clone + Send + Sync + Unpin + 'static,
NSvc: svc::Service<tls::server::Io<I>, Response = ()>,
NSvc: svc::Service<TlsIo<I>, Response = ()>,
NSvc: Send + Unpin + 'static,
NSvc::Error: Into<Error>,
NSvc::Future: Send,
Expand Down Expand Up @@ -135,10 +137,12 @@ impl<N> Inbound<N> {
.push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
.into_inner(),
)
.push(tls::NewDetectTls::<LocalCrtKey, _, _>::layer(TlsParams {
timeout: tls::server::Timeout(detect_timeout),
identity: rt.identity.clone(),
}))
.push(tls::NewDetectTls::<identity::LocalCrtKey, _, _>::layer(
TlsParams {
timeout: tls::server::Timeout(detect_timeout),
identity: rt.identity.clone(),
},
))
.push_switch(
// If this port's policy indicates that authentication is not required and
// detection should be skipped, use the TCP stack directly.
Expand Down Expand Up @@ -425,9 +429,9 @@ impl<T> svc::ExtractParam<tls::server::Timeout, T> for TlsParams {
}
}

impl<T> svc::ExtractParam<LocalCrtKey, T> for TlsParams {
impl<T> svc::ExtractParam<identity::LocalCrtKey, T> for TlsParams {
#[inline]
fn extract_param(&self, _: &T) -> LocalCrtKey {
fn extract_param(&self, _: &T) -> identity::LocalCrtKey {
self.identity.clone()
}
}
Expand Down
68 changes: 41 additions & 27 deletions linkerd/app/inbound/src/direct.rs
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
use crate::{policy, Inbound};
use linkerd_app_core::{
io,
proxy::identity::LocalCrtKey,
identity::LocalCrtKey,
io, rustls,
svc::{self, ExtractParam, InsertParam, Param},
tls,
transport::{self, metrics::SensorIo, ClientAddr, OrigDstAddr, Remote, ServerAddr},
transport_header::{self, NewTransportHeaderServer, SessionProtocol, TransportHeader},
Conditional, Error, NameAddr, Result,
};
use std::{convert::TryFrom, fmt::Debug};
use std::{convert::TryFrom, fmt::Debug, task};
use thiserror::Error;
use tracing::{debug_span, info_span};

Expand Down Expand Up @@ -52,8 +52,9 @@ pub struct ClientInfo {
pub local_addr: OrigDstAddr,
}

type FwdIo<I> = SensorIo<io::PrefixedIo<tls::server::Io<I>>>;
pub type GatewayIo<I> = io::EitherIo<FwdIo<I>, SensorIo<tls::server::Io<I>>>;
type TlsIo<I> = tls::server::Io<rustls::ServerIo<tls::server::DetectIo<I>>, I>;
type FwdIo<I> = SensorIo<io::PrefixedIo<TlsIo<I>>>;
pub type GatewayIo<I> = io::EitherIo<FwdIo<I>, SensorIo<TlsIo<I>>>;

#[derive(Clone)]
struct TlsParams {
Expand Down Expand Up @@ -102,7 +103,6 @@ impl<N> Inbound<N> {
rt.metrics.proxy.transport.clone(),
))
.instrument(|_: &_| debug_span!("opaque"))
.check_new_service::<Local, _>()
// When the transport header is present, it may be used for either local TCP
// forwarding, or we may be processing an HTTP gateway connection. HTTP gateway
// connections that have a transport header must provide a target name as a part of
Expand All @@ -129,8 +129,13 @@ impl<N> Inbound<N> {
negotiated_protocol: client.alpn,
},
);
let permit = allow.check_authorized(client.client_addr, &tls)?;
Ok(svc::Either::A(Local { addr: Remote(ServerAddr(addr)), permit, client_id: client.client_id, }))
let permit =
allow.check_authorized(client.client_addr, &tls)?;
Ok(svc::Either::A(Local {
addr: Remote(ServerAddr(addr)),
permit,
client_id: client.client_id,
}))
Comment on lines +132 to +138
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it took me a min to realize that this (and some of the other code in this file) was not actually changed, and rustfmt just changed its mind about which line to wrap at or something. :/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why but rustfmt was just ignoring this whole stack before and something changed and now it wants to format it all

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wacky!

}
TransportHeader {
port,
Expand Down Expand Up @@ -167,30 +172,27 @@ impl<N> Inbound<N> {
.instrument(
|g: &GatewayTransportHeader| info_span!("gateway", dst = %g.target),
)
.check_new_service::<GatewayTransportHeader, io::PrefixedIo<tls::server::Io<I>>>()
.into_inner(),
)
// Use ALPN to determine whether a transport header should be read.
.push(NewTransportHeaderServer::layer(detect_timeout))
.push_request_filter(
|client: ClientInfo| -> Result<_> {
if client.header_negotiated() {
Ok(client)
} else {
Err(RefusedNoTarget.into())
}
},
)
.check_new_service::<ClientInfo, tls::server::Io<I>>()
.push_request_filter(|client: ClientInfo| -> Result<_> {
if client.header_negotiated() {
Ok(client)
} else {
Err(RefusedNoTarget.into())
}
})
// Build a ClientInfo target for each accepted connection. Refuse the
// connection if it doesn't include an mTLS identity.
.push_request_filter(ClientInfo::try_from)
.push(svc::ArcNewService::layer())
.push(tls::NewDetectTls::<WithTransportHeaderAlpn, _, _>::layer(TlsParams {
timeout: tls::server::Timeout(detect_timeout),
identity: WithTransportHeaderAlpn(rt.identity.clone()),
}))
.check_new_service::<T, I>()
.push(tls::NewDetectTls::<WithTransportHeaderAlpn, _, _>::layer(
TlsParams {
timeout: tls::server::Timeout(detect_timeout),
identity: WithTransportHeaderAlpn(rt.identity.clone()),
},
))
.push_on_service(svc::BoxService::layer())
.push(svc::ArcNewService::layer())
})
Expand Down Expand Up @@ -293,8 +295,20 @@ impl Param<tls::ConditionalServerTls> for GatewayTransportHeader {

// === impl WithTransportHeaderAlpn ===

impl svc::Param<tls::server::Config> for WithTransportHeaderAlpn {
fn param(&self) -> tls::server::Config {
impl<I> svc::Service<I> for WithTransportHeaderAlpn
where
I: io::AsyncRead + io::AsyncWrite + Send + Unpin,
{
type Response = (tls::ServerTls, rustls::ServerIo<I>);
type Error = io::Error;
type Future = rustls::TerminateFuture<I>;

#[inline]
fn poll_ready(&mut self, _: &mut task::Context<'_>) -> task::Poll<Result<(), io::Error>> {
task::Poll::Ready(Ok(()))
}

fn call(&mut self, io: I) -> Self::Future {
// Copy the underlying TLS config and set an ALPN value.
//
// TODO: Avoid cloning the server config for every connection. It would
Expand All @@ -304,7 +318,7 @@ impl svc::Param<tls::server::Config> for WithTransportHeaderAlpn {
config
.alpn_protocols
.push(transport_header::PROTOCOL.into());
config.into()
rustls::terminate(config.into(), io)
}
}

Expand Down
4 changes: 2 additions & 2 deletions linkerd/app/inbound/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ use linkerd_app_core::{
config::{ConnectConfig, ProxyConfig},
drain,
http_tracing::OpenCensusSink,
identity::LocalCrtKey,
io,
proxy::tcp,
proxy::{identity::LocalCrtKey, tap},
proxy::{tap, tcp},
svc,
transport::{self, Remote, ServerAddr},
Error, NameMatch, ProxyRuntime,
Expand Down
2 changes: 1 addition & 1 deletion linkerd/app/inbound/src/policy/config.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use super::{discover::Discover, DefaultPolicy, ServerPolicy, Store};
use linkerd_app_core::{control, dns, metrics, proxy::identity::LocalCrtKey, svc::NewService};
use linkerd_app_core::{control, dns, identity::LocalCrtKey, metrics, svc::NewService};
use std::collections::{HashMap, HashSet};

/// Configures inbound policies.
Expand Down
5 changes: 3 additions & 2 deletions linkerd/app/inbound/src/test_util.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@ pub use futures::prelude::*;
use linkerd_app_core::{
config,
dns::Suffix,
drain, exp_backoff, metrics,
drain, exp_backoff,
identity::LocalCrtKey,
metrics,
proxy::{
http::{h1, h2},
identity::LocalCrtKey,
tap,
},
transport::{Keepalive, ListenAddr},
Expand Down
Loading