2024-01-01 14:58:21 -05:00
|
|
|
// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
|
2020-09-05 20:34:02 -04:00
|
|
|
|
2021-06-28 19:43:03 -04:00
|
|
|
use crate::io::TcpStreamResource;
|
|
|
|
|
use crate::ops::IpAddr;
|
2021-11-26 13:59:53 -05:00
|
|
|
use crate::ops::TlsHandshakeInfo;
|
2024-04-08 18:18:14 -04:00
|
|
|
use crate::raw::NetworkListenerResource;
|
2019-09-23 14:40:38 -04:00
|
|
|
use crate::resolve_addr::resolve_addr;
|
2020-12-15 07:02:26 -05:00
|
|
|
use crate::resolve_addr::resolve_addr_sync;
|
2024-04-08 18:18:14 -04:00
|
|
|
use crate::tcp::TcpListener;
|
2021-07-22 06:28:46 -04:00
|
|
|
use crate::DefaultTlsOptions;
|
2021-06-28 19:43:03 -04:00
|
|
|
use crate::NetPermissions;
|
2021-08-10 07:19:45 -04:00
|
|
|
use crate::UnsafelyIgnoreCertificateErrors;
|
2024-04-18 13:21:08 -04:00
|
|
|
use deno_core::anyhow::anyhow;
|
2020-09-14 12:48:57 -04:00
|
|
|
use deno_core::error::bad_resource;
|
|
|
|
|
use deno_core::error::custom_error;
|
2020-12-29 20:19:28 -05:00
|
|
|
use deno_core::error::generic_error;
|
2021-04-26 15:39:55 -04:00
|
|
|
use deno_core::error::invalid_hostname;
|
2020-09-14 12:48:57 -04:00
|
|
|
use deno_core::error::AnyError;
|
2023-09-12 09:39:21 -04:00
|
|
|
use deno_core::op2;
|
2024-04-08 17:01:02 -04:00
|
|
|
use deno_core::v8;
|
2020-12-16 11:14:12 -05:00
|
|
|
use deno_core::AsyncRefCell;
|
2021-11-09 13:26:17 -05:00
|
|
|
use deno_core::AsyncResult;
|
2020-12-16 11:14:12 -05:00
|
|
|
use deno_core::CancelHandle;
|
|
|
|
|
use deno_core::CancelTryFuture;
|
2020-09-10 09:57:45 -04:00
|
|
|
use deno_core::OpState;
|
2020-12-16 11:14:12 -05:00
|
|
|
use deno_core::RcRef;
|
|
|
|
|
use deno_core::Resource;
|
2021-03-19 13:25:37 -04:00
|
|
|
use deno_core::ResourceId;
|
2021-08-07 08:49:38 -04:00
|
|
|
use deno_tls::create_client_config;
|
2021-08-25 08:25:12 -04:00
|
|
|
use deno_tls::load_certs;
|
|
|
|
|
use deno_tls::load_private_keys;
|
2021-08-07 08:49:38 -04:00
|
|
|
use deno_tls::rustls::Certificate;
|
|
|
|
|
use deno_tls::rustls::PrivateKey;
|
|
|
|
|
use deno_tls::rustls::ServerConfig;
|
2021-12-06 18:48:11 -05:00
|
|
|
use deno_tls::rustls::ServerName;
|
2023-11-01 17:11:01 -04:00
|
|
|
use deno_tls::SocketUse;
|
2024-04-08 17:01:02 -04:00
|
|
|
use deno_tls::TlsKey;
|
|
|
|
|
use deno_tls::TlsKeys;
|
2023-11-15 18:12:46 -05:00
|
|
|
use rustls_tokio_stream::TlsStreamRead;
|
|
|
|
|
use rustls_tokio_stream::TlsStreamWrite;
|
2020-09-16 12:43:08 -04:00
|
|
|
use serde::Deserialize;
|
2020-12-16 11:14:12 -05:00
|
|
|
use std::borrow::Cow;
|
2020-09-10 09:57:45 -04:00
|
|
|
use std::cell::RefCell;
|
2019-09-23 14:40:38 -04:00
|
|
|
use std::convert::From;
|
2021-12-06 18:48:11 -05:00
|
|
|
use std::convert::TryFrom;
|
2019-10-21 14:38:28 -04:00
|
|
|
use std::fs::File;
|
|
|
|
|
use std::io::BufReader;
|
2021-05-10 19:49:57 -04:00
|
|
|
use std::io::ErrorKind;
|
2024-04-08 17:01:02 -04:00
|
|
|
use std::io::Read;
|
2024-04-08 18:18:14 -04:00
|
|
|
use std::net::SocketAddr;
|
2023-11-15 18:12:46 -05:00
|
|
|
use std::num::NonZeroUsize;
|
2020-01-20 09:45:44 -05:00
|
|
|
use std::path::Path;
|
2020-08-18 12:30:13 -04:00
|
|
|
use std::rc::Rc;
|
2019-09-23 14:40:38 -04:00
|
|
|
use std::sync::Arc;
|
2021-10-19 19:30:04 -04:00
|
|
|
use tokio::io::AsyncReadExt;
|
|
|
|
|
use tokio::io::AsyncWriteExt;
|
2019-09-23 14:40:38 -04:00
|
|
|
use tokio::net::TcpStream;
|
2021-01-12 19:22:33 -05:00
|
|
|
|
2023-11-15 18:12:46 -05:00
|
|
|
pub use rustls_tokio_stream::TlsStream;
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2023-11-15 18:12:46 -05:00
|
|
|
pub(crate) const TLS_BUFFER_SIZE: Option<NonZeroUsize> =
|
|
|
|
|
NonZeroUsize::new(65536);
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2024-04-08 18:18:14 -04:00
|
|
|
pub struct TlsListener {
|
|
|
|
|
pub(crate) tcp_listener: TcpListener,
|
|
|
|
|
pub(crate) tls_config: Arc<ServerConfig>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl TlsListener {
|
|
|
|
|
pub async fn accept(&self) -> std::io::Result<(TlsStream, SocketAddr)> {
|
|
|
|
|
let (tcp, addr) = self.tcp_listener.accept().await?;
|
|
|
|
|
let tls =
|
|
|
|
|
TlsStream::new_server_side(tcp, self.tls_config.clone(), TLS_BUFFER_SIZE);
|
|
|
|
|
Ok((tls, addr))
|
|
|
|
|
}
|
|
|
|
|
pub fn local_addr(&self) -> std::io::Result<SocketAddr> {
|
|
|
|
|
self.tcp_listener.local_addr()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-19 19:30:04 -04:00
|
|
|
#[derive(Debug)]
|
|
|
|
|
pub struct TlsStreamResource {
|
2023-11-15 18:12:46 -05:00
|
|
|
rd: AsyncRefCell<TlsStreamRead>,
|
|
|
|
|
wr: AsyncRefCell<TlsStreamWrite>,
|
2021-11-26 13:59:53 -05:00
|
|
|
// `None` when a TLS handshake hasn't been done.
|
|
|
|
|
handshake_info: RefCell<Option<TlsHandshakeInfo>>,
|
2021-10-19 19:30:04 -04:00
|
|
|
cancel_handle: CancelHandle, // Only read and handshake ops get canceled.
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl TlsStreamResource {
|
2023-11-15 18:12:46 -05:00
|
|
|
pub fn new((rd, wr): (TlsStreamRead, TlsStreamWrite)) -> Self {
|
2021-10-19 19:30:04 -04:00
|
|
|
Self {
|
|
|
|
|
rd: rd.into(),
|
|
|
|
|
wr: wr.into(),
|
2021-11-26 13:59:53 -05:00
|
|
|
handshake_info: RefCell::new(None),
|
2021-10-19 19:30:04 -04:00
|
|
|
cancel_handle: Default::default(),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-15 18:12:46 -05:00
|
|
|
pub fn into_inner(self) -> (TlsStreamRead, TlsStreamWrite) {
|
2021-10-19 19:30:04 -04:00
|
|
|
(self.rd.into_inner(), self.wr.into_inner())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub async fn read(
|
2021-11-09 13:26:17 -05:00
|
|
|
self: Rc<Self>,
|
2022-10-09 10:49:25 -04:00
|
|
|
data: &mut [u8],
|
|
|
|
|
) -> Result<usize, AnyError> {
|
2021-11-09 13:26:17 -05:00
|
|
|
let mut rd = RcRef::map(&self, |r| &r.rd).borrow_mut().await;
|
|
|
|
|
let cancel_handle = RcRef::map(&self, |r| &r.cancel_handle);
|
2023-11-15 18:12:46 -05:00
|
|
|
Ok(rd.read(data).try_or_cancel(cancel_handle).await?)
|
2021-10-19 19:30:04 -04:00
|
|
|
}
|
|
|
|
|
|
2022-10-09 10:49:25 -04:00
|
|
|
pub async fn write(self: Rc<Self>, data: &[u8]) -> Result<usize, AnyError> {
|
2021-10-19 19:30:04 -04:00
|
|
|
let mut wr = RcRef::map(self, |r| &r.wr).borrow_mut().await;
|
2022-10-09 10:49:25 -04:00
|
|
|
let nwritten = wr.write(data).await?;
|
2021-10-19 19:30:04 -04:00
|
|
|
wr.flush().await?;
|
|
|
|
|
Ok(nwritten)
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-09 13:26:17 -05:00
|
|
|
pub async fn shutdown(self: Rc<Self>) -> Result<(), AnyError> {
|
2021-10-19 19:30:04 -04:00
|
|
|
let mut wr = RcRef::map(self, |r| &r.wr).borrow_mut().await;
|
|
|
|
|
wr.shutdown().await?;
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-26 13:59:53 -05:00
|
|
|
pub async fn handshake(
|
|
|
|
|
self: &Rc<Self>,
|
|
|
|
|
) -> Result<TlsHandshakeInfo, AnyError> {
|
|
|
|
|
if let Some(tls_info) = &*self.handshake_info.borrow() {
|
|
|
|
|
return Ok(tls_info.clone());
|
2021-10-19 19:30:04 -04:00
|
|
|
}
|
2021-11-26 13:59:53 -05:00
|
|
|
|
|
|
|
|
let mut wr = RcRef::map(self, |r| &r.wr).borrow_mut().await;
|
|
|
|
|
let cancel_handle = RcRef::map(self, |r| &r.cancel_handle);
|
2023-11-15 18:12:46 -05:00
|
|
|
let handshake = wr.handshake().try_or_cancel(cancel_handle).await?;
|
2021-11-26 13:59:53 -05:00
|
|
|
|
2023-11-15 18:12:46 -05:00
|
|
|
let alpn_protocol = handshake.alpn.map(|alpn| alpn.into());
|
2021-11-26 13:59:53 -05:00
|
|
|
let tls_info = TlsHandshakeInfo { alpn_protocol };
|
|
|
|
|
self.handshake_info.replace(Some(tls_info.clone()));
|
|
|
|
|
Ok(tls_info)
|
2021-10-19 19:30:04 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Resource for TlsStreamResource {
|
2022-10-09 10:49:25 -04:00
|
|
|
deno_core::impl_readable_byob!();
|
|
|
|
|
deno_core::impl_writable!();
|
|
|
|
|
|
2021-10-19 19:30:04 -04:00
|
|
|
fn name(&self) -> Cow<str> {
|
|
|
|
|
"tlsStream".into()
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-09 13:26:17 -05:00
|
|
|
fn shutdown(self: Rc<Self>) -> AsyncResult<()> {
|
|
|
|
|
Box::pin(self.shutdown())
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-19 19:30:04 -04:00
|
|
|
fn close(self: Rc<Self>) {
|
|
|
|
|
self.cancel_handle.cancel();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-23 14:40:38 -04:00
|
|
|
#[derive(Deserialize)]
|
2019-10-21 14:38:28 -04:00
|
|
|
#[serde(rename_all = "camelCase")]
|
2021-03-25 14:17:37 -04:00
|
|
|
pub struct ConnectTlsArgs {
|
2019-10-21 14:38:28 -04:00
|
|
|
cert_file: Option<String>,
|
2021-09-30 03:26:15 -04:00
|
|
|
ca_certs: Vec<String>,
|
2021-11-26 13:59:53 -05:00
|
|
|
alpn_protocols: Option<Vec<String>>,
|
2019-10-13 10:37:37 -04:00
|
|
|
}
|
2019-09-23 14:40:38 -04:00
|
|
|
|
2020-04-18 11:21:20 -04:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
|
#[serde(rename_all = "camelCase")]
|
2021-11-08 20:07:12 -05:00
|
|
|
pub struct StartTlsArgs {
|
2021-03-19 13:25:37 -04:00
|
|
|
rid: ResourceId,
|
2021-09-30 03:26:15 -04:00
|
|
|
ca_certs: Vec<String>,
|
2020-04-18 11:21:20 -04:00
|
|
|
hostname: String,
|
2021-11-26 13:59:53 -05:00
|
|
|
alpn_protocols: Option<Vec<String>>,
|
2020-04-18 11:21:20 -04:00
|
|
|
}
|
|
|
|
|
|
2024-04-08 17:01:02 -04:00
|
|
|
#[op2]
|
|
|
|
|
pub fn op_tls_key_null<'s>(
|
|
|
|
|
scope: &mut v8::HandleScope<'s>,
|
|
|
|
|
) -> Result<v8::Local<'s, v8::Object>, AnyError> {
|
|
|
|
|
Ok(deno_core::cppgc::make_cppgc_object(scope, TlsKeys::Null))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[op2]
|
|
|
|
|
pub fn op_tls_key_static<'s>(
|
|
|
|
|
scope: &mut v8::HandleScope<'s>,
|
|
|
|
|
#[string] cert: String,
|
|
|
|
|
#[string] key: String,
|
|
|
|
|
) -> Result<v8::Local<'s, v8::Object>, AnyError> {
|
|
|
|
|
let cert = load_certs(&mut BufReader::new(cert.as_bytes()))?;
|
|
|
|
|
let key = load_private_keys(key.as_bytes())?
|
|
|
|
|
.into_iter()
|
|
|
|
|
.next()
|
|
|
|
|
.unwrap();
|
|
|
|
|
Ok(deno_core::cppgc::make_cppgc_object(
|
|
|
|
|
scope,
|
|
|
|
|
TlsKeys::Static(TlsKey(cert, key)),
|
|
|
|
|
))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Legacy op -- will be removed in Deno 2.0.
|
|
|
|
|
#[op2]
|
|
|
|
|
pub fn op_tls_key_static_from_file<'s, NP>(
|
|
|
|
|
state: &mut OpState,
|
|
|
|
|
scope: &mut v8::HandleScope<'s>,
|
|
|
|
|
#[string] api: String,
|
|
|
|
|
#[string] cert_file: String,
|
|
|
|
|
#[string] key_file: String,
|
|
|
|
|
) -> Result<v8::Local<'s, v8::Object>, AnyError>
|
|
|
|
|
where
|
|
|
|
|
NP: NetPermissions + 'static,
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
let permissions = state.borrow_mut::<NP>();
|
|
|
|
|
permissions.check_read(Path::new(&cert_file), &api)?;
|
|
|
|
|
permissions.check_read(Path::new(&key_file), &api)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let cert = load_certs_from_file(&cert_file)?;
|
|
|
|
|
let key = load_private_keys_from_file(&key_file)?
|
|
|
|
|
.into_iter()
|
|
|
|
|
.next()
|
|
|
|
|
.unwrap();
|
|
|
|
|
Ok(deno_core::cppgc::make_cppgc_object(
|
|
|
|
|
scope,
|
|
|
|
|
TlsKeys::Static(TlsKey(cert, key)),
|
|
|
|
|
))
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-11 23:48:00 -04:00
|
|
|
#[op2]
|
2023-09-12 09:39:21 -04:00
|
|
|
#[serde]
|
2024-03-11 23:48:00 -04:00
|
|
|
pub fn op_tls_start<NP>(
|
2020-09-10 09:57:45 -04:00
|
|
|
state: Rc<RefCell<OpState>>,
|
2023-09-12 09:39:21 -04:00
|
|
|
#[serde] args: StartTlsArgs,
|
2022-10-25 16:50:55 -04:00
|
|
|
) -> Result<(ResourceId, IpAddr, IpAddr), AnyError>
|
2021-06-28 19:43:03 -04:00
|
|
|
where
|
|
|
|
|
NP: NetPermissions + 'static,
|
|
|
|
|
{
|
2021-03-18 20:55:31 -04:00
|
|
|
let rid = args.rid;
|
2021-05-10 19:49:57 -04:00
|
|
|
let hostname = match &*args.hostname {
|
|
|
|
|
"" => "localhost",
|
|
|
|
|
n => n,
|
|
|
|
|
};
|
2021-10-29 11:13:31 -04:00
|
|
|
|
2020-09-10 09:57:45 -04:00
|
|
|
{
|
2021-04-11 22:15:43 -04:00
|
|
|
let mut s = state.borrow_mut();
|
2021-06-28 19:43:03 -04:00
|
|
|
let permissions = s.borrow_mut::<NP>();
|
2022-09-27 16:36:33 -04:00
|
|
|
permissions.check_net(&(hostname, Some(0)), "Deno.startTls()")?;
|
2020-04-28 12:01:13 -04:00
|
|
|
}
|
2020-04-18 11:21:20 -04:00
|
|
|
|
2021-10-29 11:13:31 -04:00
|
|
|
let ca_certs = args
|
2021-09-30 03:26:15 -04:00
|
|
|
.ca_certs
|
|
|
|
|
.into_iter()
|
|
|
|
|
.map(|s| s.into_bytes())
|
|
|
|
|
.collect::<Vec<_>>();
|
|
|
|
|
|
2021-12-06 18:48:11 -05:00
|
|
|
let hostname_dns =
|
|
|
|
|
ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?;
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2021-08-10 08:19:42 -04:00
|
|
|
let unsafely_ignore_certificate_errors = state
|
|
|
|
|
.borrow()
|
2021-09-22 05:12:08 -04:00
|
|
|
.try_borrow::<UnsafelyIgnoreCertificateErrors>()
|
|
|
|
|
.and_then(|it| it.0.clone());
|
2021-08-10 08:19:42 -04:00
|
|
|
|
2021-08-07 08:49:38 -04:00
|
|
|
let root_cert_store = state
|
|
|
|
|
.borrow()
|
|
|
|
|
.borrow::<DefaultTlsOptions>()
|
2023-05-01 16:42:05 -04:00
|
|
|
.root_cert_store()?;
|
2022-10-17 22:28:27 -04:00
|
|
|
|
2020-12-16 11:14:12 -05:00
|
|
|
let resource_rc = state
|
|
|
|
|
.borrow_mut()
|
|
|
|
|
.resource_table
|
2021-08-15 07:29:19 -04:00
|
|
|
.take::<TcpStreamResource>(rid)?;
|
2022-10-17 22:28:27 -04:00
|
|
|
// This TCP connection might be used somewhere else. If it's the case, we cannot proceed with the
|
|
|
|
|
// process of starting a TLS connection on top of this TCP connection, so we just return a bad
|
|
|
|
|
// resource error. See also: https://github.com/denoland/deno/pull/16242
|
2020-12-16 11:14:12 -05:00
|
|
|
let resource = Rc::try_unwrap(resource_rc)
|
2022-10-17 22:28:27 -04:00
|
|
|
.map_err(|_| bad_resource("TCP stream is currently in use"))?;
|
2020-12-16 11:14:12 -05:00
|
|
|
let (read_half, write_half) = resource.into_inner();
|
|
|
|
|
let tcp_stream = read_half.reunite(write_half)?;
|
2020-08-28 11:08:24 -04:00
|
|
|
|
2020-12-16 11:14:12 -05:00
|
|
|
let local_addr = tcp_stream.local_addr()?;
|
|
|
|
|
let remote_addr = tcp_stream.peer_addr()?;
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2021-11-26 13:59:53 -05:00
|
|
|
let mut tls_config = create_client_config(
|
2021-08-10 08:19:42 -04:00
|
|
|
root_cert_store,
|
2021-09-30 03:26:15 -04:00
|
|
|
ca_certs,
|
2021-08-10 08:19:42 -04:00
|
|
|
unsafely_ignore_certificate_errors,
|
2021-12-01 11:13:11 -05:00
|
|
|
None,
|
2023-11-01 17:11:01 -04:00
|
|
|
SocketUse::GeneralSsl,
|
2021-11-26 13:59:53 -05:00
|
|
|
)?;
|
|
|
|
|
|
|
|
|
|
if let Some(alpn_protocols) = args.alpn_protocols {
|
|
|
|
|
tls_config.alpn_protocols =
|
|
|
|
|
alpn_protocols.into_iter().map(|s| s.into_bytes()).collect();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let tls_config = Arc::new(tls_config);
|
2023-11-15 18:12:46 -05:00
|
|
|
let tls_stream = TlsStream::new_client_side(
|
|
|
|
|
tcp_stream,
|
2024-01-24 22:47:45 -05:00
|
|
|
tls_config,
|
|
|
|
|
hostname_dns,
|
2023-11-15 18:12:46 -05:00
|
|
|
TLS_BUFFER_SIZE,
|
|
|
|
|
);
|
2020-12-16 11:14:12 -05:00
|
|
|
|
|
|
|
|
let rid = {
|
|
|
|
|
let mut state_ = state.borrow_mut();
|
|
|
|
|
state_
|
|
|
|
|
.resource_table
|
2021-05-10 19:49:57 -04:00
|
|
|
.add(TlsStreamResource::new(tls_stream.into_split()))
|
2020-12-16 11:14:12 -05:00
|
|
|
};
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2022-10-25 16:50:55 -04:00
|
|
|
Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr)))
|
2020-08-28 11:08:24 -04:00
|
|
|
}
|
|
|
|
|
|
2023-09-12 09:39:21 -04:00
|
|
|
#[op2(async)]
|
|
|
|
|
#[serde]
|
2022-10-25 16:50:55 -04:00
|
|
|
pub async fn op_net_connect_tls<NP>(
|
2020-09-10 09:57:45 -04:00
|
|
|
state: Rc<RefCell<OpState>>,
|
2023-09-12 09:39:21 -04:00
|
|
|
#[serde] addr: IpAddr,
|
|
|
|
|
#[serde] args: ConnectTlsArgs,
|
2024-04-08 17:01:02 -04:00
|
|
|
#[cppgc] key_pair: &TlsKeys,
|
2022-10-25 16:50:55 -04:00
|
|
|
) -> Result<(ResourceId, IpAddr, IpAddr), AnyError>
|
2021-06-28 19:43:03 -04:00
|
|
|
where
|
|
|
|
|
NP: NetPermissions + 'static,
|
|
|
|
|
{
|
2021-05-10 19:49:57 -04:00
|
|
|
let cert_file = args.cert_file.as_deref();
|
2021-08-10 07:19:45 -04:00
|
|
|
let unsafely_ignore_certificate_errors = state
|
2021-08-09 10:53:21 -04:00
|
|
|
.borrow()
|
2021-09-22 05:12:08 -04:00
|
|
|
.try_borrow::<UnsafelyIgnoreCertificateErrors>()
|
|
|
|
|
.and_then(|it| it.0.clone());
|
2021-08-09 09:55:00 -04:00
|
|
|
|
2020-09-10 09:57:45 -04:00
|
|
|
{
|
2021-04-11 22:15:43 -04:00
|
|
|
let mut s = state.borrow_mut();
|
2021-06-28 19:43:03 -04:00
|
|
|
let permissions = s.borrow_mut::<NP>();
|
2022-10-25 16:50:55 -04:00
|
|
|
permissions
|
|
|
|
|
.check_net(&(&addr.hostname, Some(addr.port)), "Deno.connectTls()")?;
|
2021-05-10 19:49:57 -04:00
|
|
|
if let Some(path) = cert_file {
|
2022-09-27 16:36:33 -04:00
|
|
|
permissions.check_read(Path::new(path), "Deno.connectTls()")?;
|
2020-09-10 09:57:45 -04:00
|
|
|
}
|
2020-08-28 11:08:24 -04:00
|
|
|
}
|
|
|
|
|
|
2021-09-30 03:26:15 -04:00
|
|
|
let mut ca_certs = args
|
|
|
|
|
.ca_certs
|
|
|
|
|
.into_iter()
|
|
|
|
|
.map(|s| s.into_bytes())
|
|
|
|
|
.collect::<Vec<_>>();
|
|
|
|
|
|
|
|
|
|
if let Some(path) = cert_file {
|
|
|
|
|
let mut buf = Vec::new();
|
|
|
|
|
File::open(path)?.read_to_end(&mut buf)?;
|
|
|
|
|
ca_certs.push(buf);
|
2021-08-07 08:49:38 -04:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let root_cert_store = state
|
|
|
|
|
.borrow()
|
|
|
|
|
.borrow::<DefaultTlsOptions>()
|
2023-05-01 16:42:05 -04:00
|
|
|
.root_cert_store()?;
|
2022-10-25 16:50:55 -04:00
|
|
|
let hostname_dns = ServerName::try_from(&*addr.hostname)
|
|
|
|
|
.map_err(|_| invalid_hostname(&addr.hostname))?;
|
|
|
|
|
let connect_addr = resolve_addr(&addr.hostname, addr.port)
|
2020-12-29 20:19:28 -05:00
|
|
|
.await?
|
|
|
|
|
.next()
|
|
|
|
|
.ok_or_else(|| generic_error("No resolved address found"))?;
|
2021-05-10 19:49:57 -04:00
|
|
|
let tcp_stream = TcpStream::connect(connect_addr).await?;
|
2020-08-28 11:08:24 -04:00
|
|
|
let local_addr = tcp_stream.local_addr()?;
|
|
|
|
|
let remote_addr = tcp_stream.peer_addr()?;
|
2021-12-06 18:48:11 -05:00
|
|
|
|
2024-04-08 17:01:02 -04:00
|
|
|
let cert_and_key = match key_pair {
|
|
|
|
|
TlsKeys::Null => None,
|
|
|
|
|
TlsKeys::Static(key) => Some(key.clone()),
|
2024-02-18 09:30:58 -05:00
|
|
|
};
|
2021-08-09 10:53:21 -04:00
|
|
|
let mut tls_config = create_client_config(
|
|
|
|
|
root_cert_store,
|
2021-09-30 03:26:15 -04:00
|
|
|
ca_certs,
|
2021-08-10 07:19:45 -04:00
|
|
|
unsafely_ignore_certificate_errors,
|
2024-02-18 09:30:58 -05:00
|
|
|
cert_and_key,
|
2023-11-01 17:11:01 -04:00
|
|
|
SocketUse::GeneralSsl,
|
2021-08-09 10:53:21 -04:00
|
|
|
)?;
|
2021-08-09 09:55:00 -04:00
|
|
|
|
2021-11-26 13:59:53 -05:00
|
|
|
if let Some(alpn_protocols) = args.alpn_protocols {
|
|
|
|
|
tls_config.alpn_protocols =
|
|
|
|
|
alpn_protocols.into_iter().map(|s| s.into_bytes()).collect();
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-09 09:55:00 -04:00
|
|
|
let tls_config = Arc::new(tls_config);
|
|
|
|
|
|
2023-11-15 18:12:46 -05:00
|
|
|
let tls_stream = TlsStream::new_client_side(
|
|
|
|
|
tcp_stream,
|
2024-01-24 22:47:45 -05:00
|
|
|
tls_config,
|
|
|
|
|
hostname_dns,
|
2023-11-15 18:12:46 -05:00
|
|
|
TLS_BUFFER_SIZE,
|
|
|
|
|
);
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2020-09-10 09:57:45 -04:00
|
|
|
let rid = {
|
|
|
|
|
let mut state_ = state.borrow_mut();
|
2020-12-16 11:14:12 -05:00
|
|
|
state_
|
|
|
|
|
.resource_table
|
2021-05-10 19:49:57 -04:00
|
|
|
.add(TlsStreamResource::new(tls_stream.into_split()))
|
2020-09-10 09:57:45 -04:00
|
|
|
};
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2022-10-25 16:50:55 -04:00
|
|
|
Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr)))
|
2019-09-23 14:40:38 -04:00
|
|
|
}
|
2019-10-21 14:38:28 -04:00
|
|
|
|
2021-08-09 09:55:00 -04:00
|
|
|
fn load_certs_from_file(path: &str) -> Result<Vec<Certificate>, AnyError> {
|
|
|
|
|
let cert_file = File::open(path)?;
|
|
|
|
|
let reader = &mut BufReader::new(cert_file);
|
|
|
|
|
load_certs(reader)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn load_private_keys_from_file(
|
|
|
|
|
path: &str,
|
|
|
|
|
) -> Result<Vec<PrivateKey>, AnyError> {
|
|
|
|
|
let key_bytes = std::fs::read(path)?;
|
|
|
|
|
load_private_keys(&key_bytes)
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-21 14:38:28 -04:00
|
|
|
#[derive(Deserialize)]
|
|
|
|
|
#[serde(rename_all = "camelCase")]
|
2021-03-18 14:42:01 -04:00
|
|
|
pub struct ListenTlsArgs {
|
2021-04-10 16:04:44 -04:00
|
|
|
alpn_protocols: Option<Vec<String>>,
|
2022-10-26 15:04:27 -04:00
|
|
|
reuse_port: bool,
|
2019-10-21 14:38:28 -04:00
|
|
|
}
|
|
|
|
|
|
2023-09-12 09:39:21 -04:00
|
|
|
#[op2]
|
|
|
|
|
#[serde]
|
2022-10-25 16:50:55 -04:00
|
|
|
pub fn op_net_listen_tls<NP>(
|
2020-09-10 09:57:45 -04:00
|
|
|
state: &mut OpState,
|
2023-09-12 09:39:21 -04:00
|
|
|
#[serde] addr: IpAddr,
|
|
|
|
|
#[serde] args: ListenTlsArgs,
|
2024-04-08 17:01:02 -04:00
|
|
|
#[cppgc] keys: &TlsKeys,
|
2022-10-25 16:50:55 -04:00
|
|
|
) -> Result<(ResourceId, IpAddr), AnyError>
|
2021-06-28 19:43:03 -04:00
|
|
|
where
|
|
|
|
|
NP: NetPermissions + 'static,
|
|
|
|
|
{
|
2022-10-26 15:04:27 -04:00
|
|
|
if args.reuse_port {
|
|
|
|
|
super::check_unstable(state, "Deno.listenTls({ reusePort: true })");
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-10 09:57:45 -04:00
|
|
|
{
|
2021-06-28 19:43:03 -04:00
|
|
|
let permissions = state.borrow_mut::<NP>();
|
2022-10-25 16:50:55 -04:00
|
|
|
permissions
|
|
|
|
|
.check_net(&(&addr.hostname, Some(addr.port)), "Deno.listenTls()")?;
|
2020-09-10 09:57:45 -04:00
|
|
|
}
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2024-04-08 17:01:02 -04:00
|
|
|
let tls_config = ServerConfig::builder()
|
2021-12-06 18:48:11 -05:00
|
|
|
.with_safe_defaults()
|
2024-04-08 17:01:02 -04:00
|
|
|
.with_no_client_auth();
|
|
|
|
|
|
|
|
|
|
let mut tls_config = match keys {
|
2024-04-18 13:21:08 -04:00
|
|
|
TlsKeys::Null => Err(anyhow!("Deno.listenTls requires a key")),
|
|
|
|
|
TlsKeys::Static(TlsKey(cert, key)) => tls_config
|
|
|
|
|
.with_single_cert(cert.clone(), key.clone())
|
|
|
|
|
.map_err(|e| anyhow!(e)),
|
2024-04-08 17:01:02 -04:00
|
|
|
}
|
|
|
|
|
.map_err(|e| {
|
2024-04-18 13:21:08 -04:00
|
|
|
custom_error("InvalidData", "Error creating TLS certificate").context(e)
|
2024-04-08 17:01:02 -04:00
|
|
|
})?;
|
2023-08-14 20:11:12 -04:00
|
|
|
|
2021-04-10 16:04:44 -04:00
|
|
|
if let Some(alpn_protocols) = args.alpn_protocols {
|
2021-05-10 19:49:57 -04:00
|
|
|
tls_config.alpn_protocols =
|
2021-04-10 16:04:44 -04:00
|
|
|
alpn_protocols.into_iter().map(|s| s.into_bytes()).collect();
|
|
|
|
|
}
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2022-10-25 16:50:55 -04:00
|
|
|
let bind_addr = resolve_addr_sync(&addr.hostname, addr.port)?
|
2020-12-29 20:19:28 -05:00
|
|
|
.next()
|
|
|
|
|
.ok_or_else(|| generic_error("No resolved address found"))?;
|
2024-04-08 18:18:14 -04:00
|
|
|
|
|
|
|
|
let tcp_listener = TcpListener::bind_direct(bind_addr, args.reuse_port)?;
|
2021-05-10 19:49:57 -04:00
|
|
|
let local_addr = tcp_listener.local_addr()?;
|
|
|
|
|
|
2024-04-08 18:18:14 -04:00
|
|
|
let tls_listener_resource = NetworkListenerResource::new(TlsListener {
|
|
|
|
|
tcp_listener,
|
|
|
|
|
tls_config: tls_config.into(),
|
|
|
|
|
});
|
2020-04-21 09:48:44 -04:00
|
|
|
|
2020-12-16 11:14:12 -05:00
|
|
|
let rid = state.resource_table.add(tls_listener_resource);
|
2019-10-21 14:38:28 -04:00
|
|
|
|
2022-10-25 16:50:55 -04:00
|
|
|
Ok((rid, IpAddr::from(local_addr)))
|
2019-10-21 14:38:28 -04:00
|
|
|
}
|
|
|
|
|
|
2023-09-12 09:39:21 -04:00
|
|
|
#[op2(async)]
|
|
|
|
|
#[serde]
|
2022-10-25 16:50:55 -04:00
|
|
|
pub async fn op_net_accept_tls(
|
2020-09-10 09:57:45 -04:00
|
|
|
state: Rc<RefCell<OpState>>,
|
2023-09-12 09:39:21 -04:00
|
|
|
#[smi] rid: ResourceId,
|
2022-10-25 16:50:55 -04:00
|
|
|
) -> Result<(ResourceId, IpAddr, IpAddr), AnyError> {
|
2020-12-16 11:14:12 -05:00
|
|
|
let resource = state
|
|
|
|
|
.borrow()
|
|
|
|
|
.resource_table
|
2024-04-08 18:18:14 -04:00
|
|
|
.get::<NetworkListenerResource<TlsListener>>(rid)
|
2021-08-15 07:29:19 -04:00
|
|
|
.map_err(|_| bad_resource("Listener has been closed"))?;
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2024-04-08 18:18:14 -04:00
|
|
|
let cancel_handle = RcRef::map(&resource, |r| &r.cancel);
|
|
|
|
|
let listener = RcRef::map(&resource, |r| &r.listener)
|
2020-12-16 11:14:12 -05:00
|
|
|
.try_borrow_mut()
|
|
|
|
|
.ok_or_else(|| custom_error("Busy", "Another accept task is ongoing"))?;
|
2021-05-10 19:49:57 -04:00
|
|
|
|
2024-04-08 18:18:14 -04:00
|
|
|
let (tls_stream, remote_addr) =
|
|
|
|
|
match listener.accept().try_or_cancel(&cancel_handle).await {
|
2021-05-10 19:49:57 -04:00
|
|
|
Ok(tuple) => tuple,
|
|
|
|
|
Err(err) if err.kind() == ErrorKind::Interrupted => {
|
|
|
|
|
// FIXME(bartlomieju): compatibility with current JS implementation.
|
|
|
|
|
return Err(bad_resource("Listener has been closed"));
|
2020-08-28 11:08:24 -04:00
|
|
|
}
|
2021-05-10 19:49:57 -04:00
|
|
|
Err(err) => return Err(err.into()),
|
|
|
|
|
};
|
|
|
|
|
|
2024-04-08 18:18:14 -04:00
|
|
|
let local_addr = tls_stream.local_addr()?;
|
2020-08-28 11:08:24 -04:00
|
|
|
let rid = {
|
2020-09-10 09:57:45 -04:00
|
|
|
let mut state_ = state.borrow_mut();
|
2020-12-16 11:14:12 -05:00
|
|
|
state_
|
|
|
|
|
.resource_table
|
2021-05-10 19:49:57 -04:00
|
|
|
.add(TlsStreamResource::new(tls_stream.into_split()))
|
2020-08-28 11:08:24 -04:00
|
|
|
};
|
2020-12-16 11:14:12 -05:00
|
|
|
|
2022-10-25 16:50:55 -04:00
|
|
|
Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr)))
|
2019-10-21 14:38:28 -04:00
|
|
|
}
|
2021-10-19 19:30:04 -04:00
|
|
|
|
2023-09-12 09:39:21 -04:00
|
|
|
#[op2(async)]
|
|
|
|
|
#[serde]
|
2021-11-08 20:07:12 -05:00
|
|
|
pub async fn op_tls_handshake(
|
2021-10-19 19:30:04 -04:00
|
|
|
state: Rc<RefCell<OpState>>,
|
2023-09-12 09:39:21 -04:00
|
|
|
#[smi] rid: ResourceId,
|
2021-11-26 13:59:53 -05:00
|
|
|
) -> Result<TlsHandshakeInfo, AnyError> {
|
2021-10-19 19:30:04 -04:00
|
|
|
let resource = state
|
|
|
|
|
.borrow()
|
|
|
|
|
.resource_table
|
2024-04-08 18:18:14 -04:00
|
|
|
.get::<TlsStreamResource>(rid)
|
|
|
|
|
.map_err(|_| bad_resource("Listener has been closed"))?;
|
2021-10-19 19:30:04 -04:00
|
|
|
resource.handshake().await
|
|
|
|
|
}
|
