Split cryptographic dependencies into a dedicated crate (#1307)

The `ring`/`rustls`/`webpki` crates provide the cryptographic primitives
that we use for the proxy's mTLS functionality. But there's a desire to
support other cryptographic implementations (i.e. openssl/boringssl),
especially for FIPS 140-2.

This change introduces a new crate, `linkerd-tls-rustls`, into which all
types that depend on `ring`/`rustls`/`webpki` are moved. Specifically,
`Key`, `Crt`, and `CrtKey` are moved from `linkerd-identity` into
`rustls`. The `linkerd-tls` crate becomes generic over its TLS
implementation by using a `NewService` to build client connectors and a
`Service` to terminate server-side TLS connections.

Author: olix0r

Cargo.lock

@@ -689,6 +689,7 @@ dependencies = [
  "linkerd-stack-tracing",
  "linkerd-system",
  "linkerd-tls",
+ "linkerd-tls-rustls",
  "linkerd-trace-context",
  "linkerd-tracing",
  "linkerd-transport-header",
@@ -991,12 +992,6 @@ name = "linkerd-identity"
 version = "0.1.0"
 dependencies = [
  "linkerd-dns-name",
- "ring",
- "thiserror",
- "tokio-rustls",
- "tracing",
- "untrusted",
- "webpki",
 ]
 
 [[package]]
@@ -1009,7 +1004,6 @@ dependencies = [
  "linkerd-errno",
  "pin-project",
  "tokio",
- "tokio-rustls",
  "tokio-test",
  "tokio-util",
 ]
@@ -1152,6 +1146,7 @@ dependencies = [
  "linkerd-metrics",
  "linkerd-stack",
  "linkerd-tls",
+ "linkerd-tls-rustls",
  "linkerd2-proxy-api",
  "pin-project",
  "thiserror",
@@ -1189,6 +1184,7 @@ dependencies = [
  "linkerd-proxy-transport",
  "linkerd-stack",
  "linkerd-tls",
+ "linkerd-tls-rustls",
  "linkerd2-proxy-api",
  "parking_lot",
  "pin-project",
@@ -1364,13 +1360,29 @@ dependencies = [
  "linkerd-io",
  "linkerd-proxy-transport",
  "linkerd-stack",
+ "linkerd-tls-rustls",
  "linkerd-tracing",
+ "pin-project",
  "thiserror",
  "tokio",
- "tokio-rustls",
  "tower",
  "tracing",
  "untrusted",
+]
+
+[[package]]
+name = "linkerd-tls-rustls"
+version = "0.1.0"
+dependencies = [
+ "futures",
+ "linkerd-identity",
+ "linkerd-io",
+ "linkerd-stack",
+ "linkerd-tls",
+ "ring",
+ "thiserror",
+ "tokio-rustls",
+ "tracing",
  "webpki",
 ]
 

Cargo.toml

@@ -53,6 +53,7 @@ members = [
     "linkerd/system",
     "linkerd/tonic-watch",
     "linkerd/tls",
+    "linkerd/tls/rustls",
     "linkerd/tracing",
     "linkerd/transport-header",
     "linkerd/transport-metrics",

linkerd/app/admin/src/stack.rs

@@ -2,8 +2,9 @@ use linkerd_app_core::{
     classify,
     config::ServerConfig,
     detect, drain, errors,
+    identity::LocalCrtKey,
     metrics::{self, FmtMetrics},
-    proxy::{http, identity::LocalCrtKey},
+    proxy::http,
     serve,
     svc::{self, ExtractParam, InsertParam, Param},
     tls, trace,

linkerd/app/core/Cargo.toml

@@ -58,6 +58,7 @@ linkerd-tracing = { path = "../../tracing" }
 linkerd-transport-header = { path = "../../transport-header" }
 linkerd-transport-metrics = { path = "../../transport-metrics" }
 linkerd-tls = { path = "../../tls" }
+linkerd-tls-rustls = { path = "../../tls/rustls" }
 linkerd-trace-context = { path = "../../trace-context" }
 regex = "1.5.4"
 serde_json = "1"

linkerd/app/core/src/control.rs

@@ -54,7 +54,8 @@ impl Config {
             > + Clone,
     >
     where
-        L: Clone + svc::Param<tls::client::Config> + Send + Sync + 'static,
+        L: svc::NewService<tls::ClientTls, Service = linkerd_tls_rustls::Connect>,
+        L: Clone + Send + Sync + 'static,
     {
         let addr = self.addr;
 

linkerd/app/core/src/lib.rs

@@ -20,13 +20,14 @@ pub use linkerd_dns;
 pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
-pub use linkerd_identity as identity;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
+pub use linkerd_proxy_identity as identity;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
 pub use linkerd_tls as tls;
+pub use linkerd_tls_rustls as rustls;
 pub use linkerd_tracing as trace;
 pub use linkerd_transport_header as transport_header;
 
@@ -56,7 +57,7 @@ const DEFAULT_PORT: u16 = 80;
 
 #[derive(Clone, Debug)]
 pub struct ProxyRuntime {
-    pub identity: proxy::identity::LocalCrtKey,
+    pub identity: identity::LocalCrtKey,
     pub metrics: metrics::Proxy,
     pub tap: proxy::tap::Registry,
     pub span_sink: http_tracing::OpenCensusSink,

linkerd/app/core/src/proxy/mod.rs

@@ -5,7 +5,6 @@ pub use linkerd_proxy_core as core;
 pub use linkerd_proxy_discover as discover;
 pub use linkerd_proxy_dns_resolve as dns_resolve;
 pub use linkerd_proxy_http as http;
-pub use linkerd_proxy_identity as identity;
 pub use linkerd_proxy_resolve as resolve;
 pub use linkerd_proxy_tap as tap;
 pub use linkerd_proxy_tcp as tcp;

linkerd/app/inbound/fuzz/Cargo.toml

@@ -11,15 +11,15 @@ cargo-fuzz = true
 
 [target.'cfg(fuzzing)'.dependencies]
 arbitrary = { version = "1",  features = ["derive"] }
-libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
-tokio = { version = "1", features = ["full"] }
 hyper = { version = "0.14.9", features = ["http1", "http2"] }
 http = "0.2"
+libfuzzer-sys = { version = "0.4.2", features = ["arbitrary-derive"] }
 linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
 linkerd-proxy-identity = { path = "../../../proxy/identity", features = ["test-util"] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
+tokio = { version = "1", features = ["full"] }
 tracing = "0.1"
 
 # Prevent this from interfering with workspaces

linkerd/app/inbound/src/detect.rs

@@ -4,8 +4,8 @@ use crate::{
 };
 use linkerd_app_core::{
     detect, identity, io,
-    proxy::{http, identity::LocalCrtKey},
-    svc, tls,
+    proxy::http,
+    rustls, svc, tls,
     transport::{
         self,
         addrs::{ClientAddr, OrigDstAddr, Remote},
@@ -50,9 +50,11 @@ struct ConfigureHttpDetect;
 #[derive(Clone)]
 struct TlsParams {
     timeout: tls::server::Timeout,
-    identity: LocalCrtKey,
+    identity: identity::LocalCrtKey,
 }
 
+type TlsIo<I> = tls::server::Io<rustls::ServerIo<tls::server::DetectIo<I>>, I>;
+
 // === impl Inbound ===
 
 impl<N> Inbound<N> {
@@ -92,7 +94,7 @@ impl<N> Inbound<N> {
         I: Debug + Send + Sync + Unpin + 'static,
         N: svc::NewService<Tls, Service = NSvc>,
         N: Clone + Send + Sync + Unpin + 'static,
-        NSvc: svc::Service<tls::server::Io<I>, Response = ()>,
+        NSvc: svc::Service<TlsIo<I>, Response = ()>,
         NSvc: Send + Unpin + 'static,
         NSvc::Error: Into<Error>,
         NSvc::Future: Send,
@@ -135,10 +137,12 @@ impl<N> Inbound<N> {
                         .push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
                         .into_inner(),
                 )
-                .push(tls::NewDetectTls::<LocalCrtKey, _, _>::layer(TlsParams {
-                    timeout: tls::server::Timeout(detect_timeout),
-                    identity: rt.identity.clone(),
-                }))
+                .push(tls::NewDetectTls::<identity::LocalCrtKey, _, _>::layer(
+                    TlsParams {
+                        timeout: tls::server::Timeout(detect_timeout),
+                        identity: rt.identity.clone(),
+                    },
+                ))
                 .push_switch(
                     // If this port's policy indicates that authentication is not required and
                     // detection should be skipped, use the TCP stack directly.
@@ -425,9 +429,9 @@ impl<T> svc::ExtractParam<tls::server::Timeout, T> for TlsParams {
     }
 }
 
-impl<T> svc::ExtractParam<LocalCrtKey, T> for TlsParams {
+impl<T> svc::ExtractParam<identity::LocalCrtKey, T> for TlsParams {
     #[inline]
-    fn extract_param(&self, _: &T) -> LocalCrtKey {
+    fn extract_param(&self, _: &T) -> identity::LocalCrtKey {
         self.identity.clone()
     }
 }

linkerd/app/inbound/src/direct.rs

@@ -1,14 +1,14 @@
 use crate::{policy, Inbound};
 use linkerd_app_core::{
-    io,
-    proxy::identity::LocalCrtKey,
+    identity::LocalCrtKey,
+    io, rustls,
     svc::{self, ExtractParam, InsertParam, Param},
     tls,
     transport::{self, metrics::SensorIo, ClientAddr, OrigDstAddr, Remote, ServerAddr},
     transport_header::{self, NewTransportHeaderServer, SessionProtocol, TransportHeader},
     Conditional, Error, NameAddr, Result,
 };
-use std::{convert::TryFrom, fmt::Debug};
+use std::{convert::TryFrom, fmt::Debug, task};
 use thiserror::Error;
 use tracing::{debug_span, info_span};
 
@@ -52,8 +52,9 @@ pub struct ClientInfo {
     pub local_addr: OrigDstAddr,
 }
 
-type FwdIo<I> = SensorIo<io::PrefixedIo<tls::server::Io<I>>>;
-pub type GatewayIo<I> = io::EitherIo<FwdIo<I>, SensorIo<tls::server::Io<I>>>;
+type TlsIo<I> = tls::server::Io<rustls::ServerIo<tls::server::DetectIo<I>>, I>;
+type FwdIo<I> = SensorIo<io::PrefixedIo<TlsIo<I>>>;
+pub type GatewayIo<I> = io::EitherIo<FwdIo<I>, SensorIo<TlsIo<I>>>;
 
 #[derive(Clone)]
 struct TlsParams {
@@ -102,7 +103,6 @@ impl<N> Inbound<N> {
                     rt.metrics.proxy.transport.clone(),
                 ))
                 .instrument(|_: &_| debug_span!("opaque"))
-                .check_new_service::<Local, _>()
                 // When the transport header is present, it may be used for either local TCP
                 // forwarding, or we may be processing an HTTP gateway connection. HTTP gateway
                 // connections that have a transport header must provide a target name as a part of
@@ -129,8 +129,13 @@ impl<N> Inbound<N> {
                                             negotiated_protocol: client.alpn,
                                         },
                                     );
-                                    let permit = allow.check_authorized(client.client_addr, &tls)?;
-                                    Ok(svc::Either::A(Local { addr: Remote(ServerAddr(addr)), permit, client_id: client.client_id, }))
+                                    let permit =
+                                        allow.check_authorized(client.client_addr, &tls)?;
+                                    Ok(svc::Either::A(Local {
+                                        addr: Remote(ServerAddr(addr)),
+                                        permit,
+                                        client_id: client.client_id,
+                                    }))
                                 }
                                 TransportHeader {
                                     port,
@@ -167,30 +172,27 @@ impl<N> Inbound<N> {
                         .instrument(
                             |g: &GatewayTransportHeader| info_span!("gateway", dst = %g.target),
                         )
-                        .check_new_service::<GatewayTransportHeader, io::PrefixedIo<tls::server::Io<I>>>()
                         .into_inner(),
                 )
                 // Use ALPN to determine whether a transport header should be read.
                 .push(NewTransportHeaderServer::layer(detect_timeout))
-                .push_request_filter(
-                    |client: ClientInfo| -> Result<_> {
-                        if client.header_negotiated() {
-                            Ok(client)
-                        } else {
-                            Err(RefusedNoTarget.into())
-                        }
-                    },
-                )
-                .check_new_service::<ClientInfo, tls::server::Io<I>>()
+                .push_request_filter(|client: ClientInfo| -> Result<_> {
+                    if client.header_negotiated() {
+                        Ok(client)
+                    } else {
+                        Err(RefusedNoTarget.into())
+                    }
+                })
                 // Build a ClientInfo target for each accepted connection. Refuse the
                 // connection if it doesn't include an mTLS identity.
                 .push_request_filter(ClientInfo::try_from)
                 .push(svc::ArcNewService::layer())
-                .push(tls::NewDetectTls::<WithTransportHeaderAlpn, _, _>::layer(TlsParams {
-                    timeout: tls::server::Timeout(detect_timeout),
-                    identity: WithTransportHeaderAlpn(rt.identity.clone()),
-                }))
-                .check_new_service::<T, I>()
+                .push(tls::NewDetectTls::<WithTransportHeaderAlpn, _, _>::layer(
+                    TlsParams {
+                        timeout: tls::server::Timeout(detect_timeout),
+                        identity: WithTransportHeaderAlpn(rt.identity.clone()),
+                    },
+                ))
                 .push_on_service(svc::BoxService::layer())
                 .push(svc::ArcNewService::layer())
         })
@@ -293,8 +295,20 @@ impl Param<tls::ConditionalServerTls> for GatewayTransportHeader {
 
 // === impl WithTransportHeaderAlpn ===
 
-impl svc::Param<tls::server::Config> for WithTransportHeaderAlpn {
-    fn param(&self) -> tls::server::Config {
+impl<I> svc::Service<I> for WithTransportHeaderAlpn
+where
+    I: io::AsyncRead + io::AsyncWrite + Send + Unpin,
+{
+    type Response = (tls::ServerTls, rustls::ServerIo<I>);
+    type Error = io::Error;
+    type Future = rustls::TerminateFuture<I>;
+
+    #[inline]
+    fn poll_ready(&mut self, _: &mut task::Context<'_>) -> task::Poll<Result<(), io::Error>> {
+        task::Poll::Ready(Ok(()))
+    }
+
+    fn call(&mut self, io: I) -> Self::Future {
         // Copy the underlying TLS config and set an ALPN value.
         //
         // TODO: Avoid cloning the server config for every connection. It would
@@ -304,7 +318,7 @@ impl svc::Param<tls::server::Config> for WithTransportHeaderAlpn {
         config
             .alpn_protocols
             .push(transport_header::PROTOCOL.into());
-        config.into()
+        rustls::terminate(config.into(), io)
     }
 }