Migrate TLS to rustls

istio · Feb 23, 2024 · 30dfb3d · 30dfb3d
1 parent 56a2a6f
commit 30dfb3d
Show file tree

Hide file tree

Showing 30 changed files with 2,414 additions and 1,617 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -5,11 +5,12 @@ edition = "2021"
 rust-version = "1.65"
 
 [features]
-default = ["fips"]
+default = ["tls-ring"]
 gperftools = ["dep:gperftools"]
 console = ["dep:console-subscriber"]
-fips = ["boring/fips", "hyper-boring/fips", "tokio-boring/fips"]
-testing = [] # Enables utilities supporting tests.
+tls-boring = ["dep:boring", "dep:boring-sys", "boring-rustls-provider/fips-only", "ztunnel/tls-boring"]
+tls-ring = ["dep:ring", "rustls/ring", "dep:rcgen", "ztunnel/tls-ring"]
+testing = ["dep:rcgen", "rcgen/x509-parser"] # Enables utilities supporting tests.
 
 [lib]
 path = "src/lib.rs"
@@ -25,70 +26,78 @@ name = "throughput"
 harness = false
 
 [dependencies]
-http-02 = { package = "http", version = "0.2.9" }
+# Enabled with 'tls-boring'
+boring-rustls-provider = { git = "https://github.com/janrueth/boring-rustls-provider", optional = true } #
+boring = { version = "4", optional = true }
+boring-sys = { version = "4", optional = true }
+
+# Enabled with 'tls-ring'
+ring = { version = "0.17", optional = true }
+
 anyhow = "1.0"
 async-stream = "0.3"
 async-trait = "0.1"
 atty = "0.2"
-# Fork will be dropped once Hyper goes 1.0.0
-hyper-boring = { git = "https://github.com/howardjohn/boring/", branch = "hyper-boring/adopt-hyper-1.0.0-snapshot1" }
-boring = { git = "https://github.com/howardjohn/boring/", branch = "hyper-boring/adopt-hyper-1.0.0-snapshot1" }
-tokio-boring = { git = "https://github.com/howardjohn/boring/", branch = "hyper-boring/adopt-hyper-1.0.0-snapshot1" }
-boring-sys = { git = "https://github.com/howardjohn/boring/", branch = "hyper-boring/adopt-hyper-1.0.0-snapshot1" }
+backoff = "0.4.0"
+base64 = "0.21"
+byteorder = "1.5"
 bytes = { version = "1.5", features = ["serde"] }
+chrono = "0.4"
 console-subscriber = { version = "0.2", optional = true }
 drain = "0.1"
+duration-str = "0.7"
 futures = "0.3"
+futures-core = "0.3"
+futures-util = "0.3"
 gperftools = { version = "0.2", features = ["heap"], optional = true }
+hashbrown = "0.14"
+hickory-client = "0.24"
+hickory-proto = "0.24"
+hickory-resolver = "0.24"
+hickory-server = { version = "0.24", features = [ "hickory-resolver" ] }
+http-02 = { package = "http", version = "0.2.9" }
+http-body-04 = { package = "http-body", version = "0.4" }
+http-body-1 = { package = "http-body", version = "1.0.0-rc.2" }
+http-body-util = "0.1"
+http-types = { version = "2.12", default-features = false }
 hyper = { version = "1.1", features = ["full"] }
+hyper-rustls = { version = "0.26.0", features = ["http2"] }
 hyper-util = { version = "0.1", features = ["full"] }
+ipnet = { version = "2.9", features = ["serde"] }
+itertools = "0.12"
 libc = "0.2"
 log = "0.4"
+nix = { version = "0.27", features = ["socket", "sched", "uio", "fs", "ioctl", "user"] }
 once_cell = "1.19"
 pprof = { version = "0.13", features = ["protobuf", "protobuf-codec", "criterion"] }
+priority-queue = "1.4"
 prometheus-client = { version = "0.22" }
+prometheus-parse = "0.2"
 prost = "0.12"
 prost-types = "0.12"
 rand = "0.8"
+rcgen = { version = "0.12", optional = true, features = ["pem"] }
+realm_io = "0.4"
+rustls = { version = "0.22"}
+rustls-native-certs = "0.7.0"
+rustls-pemfile = "2.1"
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
 serde_yaml = "0.9"
 socket2 = { version = "0.5", features = ["all"] }
-byteorder = "1.5"
+textnonce = { version = "1.0" }
 thiserror = "1.0"
 tls-listener = { version = "0.9" }
 tokio = { "version" = "1.0", features = ["full", "test-util"] }
+tokio-rustls = "0.25"
 tokio-stream = { version = "0.1", features = ["net"] }
 tonic = { version = "0.11", default-features = false, features = ["prost", "codegen"] }
 tower = { version = "0.4", features = ["full"] }
+tower-hyper-http-body-compat = { git = "https://github.com/howardjohn/tower-hyper-http-body-compat", branch = "deps/hyper-1.0.0-snapshot1", features = ["server", "http2"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["registry", "env-filter"] }
-realm_io = "0.4"
-go-parse-duration = "0.1"
-prometheus-parse = "0.2"
 url = "2.2"
-itertools = "0.12"
-ipnet = { version = "2.9", features = ["serde"] }
-http-types = { version = "2.12", default-features = false }
-textnonce = { version = "1.0" }
-priority-queue = "1.4"
-http-body-util = "0.1"
-http-body-04 = { package = "http-body", version = "0.4" }
-http-body-1 = { package = "http-body", version = "1.0.0-rc.2" }
-tower-hyper-http-body-compat = { git = "https://github.com/howardjohn/tower-hyper-http-body-compat", branch = "deps/hyper-1.0.0-snapshot1", features = ["server", "http2"] }
-futures-util = "0.3"
-chrono = "0.4"
-futures-core = "0.3"
-nix = { version = "0.27", features = ["socket", "sched", "uio", "fs", "ioctl", "user"] }
-hashbrown = "0.14"
-backoff = "0.4.0"
-
-# DNS
-hickory-client = "0.24"
-hickory-proto = "0.24"
-hickory-resolver = "0.24"
-hickory-server = { version = "0.24", features = [ "hickory-resolver" ] }
-duration-str = "0.7"
+x509-parser = { version = "0.15", default-features = false }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 netns-rs = "0.1"
@@ -113,11 +122,13 @@ incremental = true
 
 [dev-dependencies]
 # Enable testing utils on this crate.
-ztunnel = { version = "0.0.0", path = ".", features = [ "testing" ] }
+ztunnel = { version = "0.0.0", path = ".", default-features = false, features = ["testing"] }
 
 criterion = { version = "0.5", features = ["async_tokio", "html_reports"] }
 diff = "0.1"
 local-ip-address = "0.5"
 matches = "0.1"
 test-case = "3.3"
+oid-registry = "0.6.1"
+rcgen = { version = "0.12.1", features = ["pem", "x509-parser"] }
 #debug = true
diff --git a/README.md b/README.md
@@ -21,10 +21,23 @@ If a feature is not directly used to implement the node proxy component in ambie
 
 ## Building
 
-### FIPS
+### TLS/Crypto provider
 
-Ztunnel builds currently enable the `fips` Cargo feature by default, which in turn enables the `fips` feature
-on [BoringSSL](https://github.com/cloudflare/boring).
+Ztunnel's TLS is built on [rustls](https://github.com/rustls/rustls).
+
+Rustls has support for plugging in various crypto providers to meet various needs (compliance, performance, etc).
+
+| Name                                          | How To Enable                                  |
+|-----------------------------------------------|------------------------------------------------|
+| [ring](https://github.com/briansmith/ring/)   | Default (or `--features tls-ring`)             |
+| [boring](https://github.com/cloudflare/boring) | `--features tls-boring --no-default-features`) |
+
+In all options, only TLS 1.3 with cipher suites `TLS13_AES_256_GCM_SHA384` and `TLS13_AES_128_GCM_SHA256` is used.
+
+#### `boring` FIPS
+
+With the `boring` option, the FIPS version is used.
+Please note this only implies the specific version of the library is used; FIPS compliance requires more than *just* using a specific library.
 
 FIPS has
 [strict requirements](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf)
@@ -42,14 +55,14 @@ We vendor FIPS boringssl binaries for
 To use these vendored libraries and build ztunnel for either of these OS/arch combos, for the moment you must manually edit
 [.cargo/config.toml](.cargo/config.toml) and change the values of BORING_BSSL_PATH and BORING_BSSL_INCLUDE_PATH under the `[env]` key to match the path to the vendored libraries for your platform, e.g:
 
-#### For linux/x86_64
+##### For linux/x86_64
 
 ``` toml
 BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_x86_64", force = true, relative = true }
 BORING_BSSL_INCLUDE_PATH = { value = "vendor/boringssl-fips/include/", force = true, relative = true }
 ```
 
-#### For linux/arm64
+##### For linux/arm64
 
 ``` toml
 BORING_BSSL_PATH = { value = "vendor/boringssl-fips/linux_arm64", force = true, relative = true }
@@ -65,21 +78,3 @@ cargo build
 This manual twiddling of environment vars is not ideal but given that the alternative is prefixing `cargo build` with these envs on every `cargo build/run`, for now we have chosen to hardcode these in `config.toml` - that may be revisited in the future depending on local pain and/or evolving `boring` upstream build flows.
 
 Note that the Dockerfiles used to build these vendored `boringssl` builds may be found in the respective vendor directories, and can serve as a reference for the build environment needed to generate FIPS-compliant ztunnel builds.
-
-### Non-FIPS
-
-If you are building for a platform we don't include vendored FIPS `boringssl` binaries for, or you don't want or need FIPS compliance, note that currently non-FIPS builds are **not supported** by us. However you may build `ztunnel` with a FIPS-less `boringssl` by doing the following:
-
-1. Comment out all of the `BORING_BSSL_*` environment variables in `.cargo/config.toml` entirely.
-1. Run `cargo build --no-default-features`
-
-Some IDEs (such as the [Intellij-series](https://github.com/intellij-rust/intellij-rust/issues/9757)) do not support
-globally applying arguments to cargo. In this case, it is probably easier to remove `fips` as a default feature in
-`Cargo.toml`.
-
-```toml
-# ...
-[features]
-default = []
-# ...
-```