diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 000000000..575312a99 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,143 @@ +--- +kind: pipeline +type: docker +name: build 386 + +clone: + depth: 1 + +steps: + - name: build 386 + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux 386 $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build amd64 + +clone: + depth: 1 + +steps: + - name: build amd64 + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux amd64 $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build arm64 + +clone: + depth: 1 + +steps: + - name: build arm64 + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux arm64 $${DRONE_COMMIT_SHA} + +platform: + os: linux + arch: arm64 + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build armv7 + +platform: + os: linux + arch: arm64 + +clone: + depth: 1 + +steps: + - name: build armv7 + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux armv7 $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build riscv64 + +clone: + depth: 1 + +steps: + - name: build riscv64 + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux riscv64 $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build mips64le + +clone: + depth: 1 + +steps: + - name: build mips64le + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux mips64le $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build ppc64le + +clone: + depth: 1 + +steps: + - name: build ppc64le + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux ppc64le $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson + +--- +kind: pipeline +type: docker +name: build s390x + +clone: + depth: 1 + +steps: + - name: build s390x + image: registry.sean.farm/honda-builder + commands: + - ./ci/scripts/build.sh linux s390x $${DRONE_COMMIT_SHA} + +image_pull_secrets: + - dockerconfigjson diff --git a/ci/Dockerfile.sid b/ci/Dockerfile.sid new file mode 100644 index 000000000..4af604aac --- /dev/null +++ b/ci/Dockerfile.sid @@ -0,0 +1,7 @@ +FROM registry.sean.farm/sid-builder as stage +COPY . . +RUN /usr/bin/make -j 8 + +FROM scratch AS export +COPY --from=stage /zerotier-one . +COPY --from=stage /zerotier-cli . diff --git a/ci/scripts/build.sh b/ci/scripts/build.sh new file mode 100755 index 000000000..e0b6ce6b7 --- /dev/null +++ b/ci/scripts/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +export GOOS=$1 +export GOARCH=$2 +export VERSION=$3 +export DOCKER_BUILDKIT=1 + +echo "nproc: $(nproc)" + +case $GOARCH in + armv5) + export ARCH=arm/v5 + ;; + armv7) + export ARCH=arm/v7 + ;; + arm64) + export ARCH=arm64/v8 + ;; + *) + export ARCH=$GOARCH + ;; +esac + +docker run --privileged --rm tonistiigi/binfmt --install all +docker buildx build --platform ${GOOS}/${ARCH} -f ci/Dockerfile.sid --target export -t test . --output out/${GOOS}/${GOARCH} diff --git a/debian/rules b/debian/rules index d48c96bfc..81fde680b 100755 --- a/debian/rules +++ b/debian/rules @@ -7,7 +7,7 @@ CXXFLAGS=-O3 -fstack-protector-strong dh $@ --with systemd override_dh_auto_build: - make -j`nproc` + make override_dh_systemd_start: dh_systemd_start --restart-after-upgrade diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h index 4fa1a4310..e88fbda1f 100644 --- a/include/ZeroTierOne.h +++ b/include/ZeroTierOne.h @@ -123,12 +123,12 @@ extern "C" { /** * Maximum number of pushed routes on a network */ -#define ZT_MAX_NETWORK_ROUTES 32 +#define ZT_MAX_NETWORK_ROUTES 128 /** * Maximum number of statically assigned IP addresses per network endpoint using ZT address management (not DHCP) */ -#define ZT_MAX_ZT_ASSIGNED_ADDRESSES 16 +#define ZT_MAX_ZT_ASSIGNED_ADDRESSES 32 /** * Maximum number of "specialists" on a network -- bridges, relays, etc. diff --git a/make-linux.mk b/make-linux.mk index 49081d827..03c5824ba 100644 --- a/make-linux.mk +++ b/make-linux.mk @@ -41,12 +41,6 @@ else override DEFS+=-DZT_USE_SYSTEM_NATPMP endif -ifeq ($(ZT_DEBUG),1) - LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto -else - LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto -endif - # Use bundled http-parser since distribution versions are NOT API-stable or compatible! # Trying to use dynamically linked libhttp-parser causes tons of compatibility problems. ONE_OBJS+=ext/http-parser/http_parser.o @@ -122,6 +116,7 @@ ifeq ($(CC_MACH),x86_64) ZT_USE_X64_ASM_ED25519=1 override CFLAGS+=-msse -msse2 override CXXFLAGS+=-msse -msse2 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),amd64) ZT_ARCHITECTURE=2 @@ -129,6 +124,7 @@ ifeq ($(CC_MACH),amd64) ZT_USE_X64_ASM_ED25519=1 override CFLAGS+=-msse -msse2 override CXXFLAGS+=-msse -msse2 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),powerpc64le) ZT_ARCHITECTURE=8 @@ -150,15 +146,19 @@ ifeq ($(CC_MACH),e2k) endif ifeq ($(CC_MACH),i386) ZT_ARCHITECTURE=1 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),i486) ZT_ARCHITECTURE=1 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),i586) ZT_ARCHITECTURE=1 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),i686) ZT_ARCHITECTURE=1 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),arm) ZT_ARCHITECTURE=3 @@ -174,6 +174,7 @@ ifeq ($(CC_MACH),armhf) ZT_ARCHITECTURE=3 override DEFS+=-DZT_NO_TYPE_PUNNING ZT_USE_ARM32_NEON_ASM_CRYPTO=1 + ZT_SSO_SUPPORTED=1 endif ifeq ($(CC_MACH),armv6) ZT_ARCHITECTURE=3 @@ -217,10 +218,12 @@ ifeq ($(CC_MACH),armv7ve) endif ifeq ($(CC_MACH),arm64) ZT_ARCHITECTURE=4 + ZT_SSO_SUPPORTED=1 override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align endif ifeq ($(CC_MACH),aarch64) ZT_ARCHITECTURE=4 + ZT_SSO_SUPPORTED=1 override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align endif ifeq ($(CC_MACH),mipsel) @@ -263,6 +266,14 @@ ifeq ($(ZT_IA32),1) ZT_USE_X64_ASM_ED25519=0 endif +ifeq ($(ZT_SSO_SUPPORTED), 1) + ifeq ($(ZT_DEBUG),1) + LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto + else + LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto + endif +endif + # Disable software updates by default on Linux since that is normally done with package management override DEFS+=-DZT_BUILD_PLATFORM=1 -DZT_BUILD_ARCHITECTURE=$(ZT_ARCHITECTURE) -DZT_SOFTWARE_UPDATE_DEFAULT="\"disable\"" @@ -371,8 +382,13 @@ debug: FORCE make ZT_DEBUG=1 one make ZT_DEBUG=1 selftest +ifeq ($(ZT_SSO_SUPPORTED), 1) zeroidc: FORCE - cd zeroidc && cargo build $(RUSTFLAGS) +# export PATH=/root/.cargo/bin:$$PATH; cd zeroidc && cargo build -j1 $(RUSTFLAGS) + export PATH=/root/.cargo/bin:$$PATH; cd zeroidc && cargo build $(RUSTFLAGS) +else +zeroidc: +endif # Note: keep the symlinks in /var/lib/zerotier-one to the binaries since these # provide backward compatibility with old releases where the binaries actually diff --git a/node/Constants.hpp b/node/Constants.hpp index ca23a7e5f..930c91299 100644 --- a/node/Constants.hpp +++ b/node/Constants.hpp @@ -50,9 +50,16 @@ #define __UNIX_LIKE__ #endif #include + +#if (defined(__amd64) || defined(__amd64__) || defined(__x86_64) || defined(__x86_64__) || defined(__AMD64) || defined(__AMD64__) || defined(_M_X64) || defined(__aarch64__)) +#define OIDC_SUPPORTED 1 +#else +#define OIDC_SUPPORTED 0 +#endif #endif #ifdef __APPLE__ +#define OIDC_SUPPORTED 1 #define likely(x) __builtin_expect((x),1) #define unlikely(x) __builtin_expect((x),0) #include @@ -66,6 +73,7 @@ #endif #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) +#define OIDC_SUPPORTED 0 #ifndef __UNIX_LIKE__ #define __UNIX_LIKE__ #endif @@ -81,6 +89,7 @@ #endif #if defined(_WIN32) || defined(_WIN64) +#define OIDC_SUPPORTED 1 #ifndef __WINDOWS__ #define __WINDOWS__ #endif diff --git a/service/OneService.cpp b/service/OneService.cpp index 1db63284e..73b3a9d56 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -53,7 +53,9 @@ #include "OneService.hpp" #include "SoftwareUpdater.hpp" +#if OIDC_SUPPORTED #include +#endif #ifdef __WINDOWS__ #include @@ -154,7 +156,9 @@ public: NetworkState() : _webPort(9993) , _tap((EthernetTap *)0) +#if OIDC_SUPPORTED , _idc(nullptr) +#endif { // Real defaults are in network 'up' code in network event handler _settings.allowManaged = true; @@ -169,11 +173,13 @@ public: this->_managedRoutes.clear(); this->_tap.reset(); +#if OIDC_SUPPORTED if (_idc) { zeroidc::zeroidc_stop(_idc); zeroidc::zeroidc_delete(_idc); _idc = nullptr; } +#endif } void setWebPort(unsigned int port) { @@ -251,6 +257,7 @@ public: if (_config.ssoEnabled && _config.ssoVersion == 1) { // fprintf(stderr, "ssoEnabled for %s\n", nwid); +#if OIDC_SUPPORTED if (_idc == nullptr) { assert(_config.issuerURL != nullptr); @@ -290,6 +297,7 @@ public: // TODO: kick the refresh thread zeroidc::zeroidc_kick_refresh_thread(_idc); } +#endif } } @@ -306,14 +314,17 @@ public: } const char* getAuthURL() { +#if OIDC_SUPPORTED if (_idc != nullptr) { return zeroidc::zeroidc_get_auth_url(_idc); } fprintf(stderr, "_idc is null\n"); +#endif return ""; } const char* doTokenExchange(const char *code) { +#if OIDC_SUPPORTED if (_idc == nullptr) { fprintf(stderr, "ainfo or idc null\n"); return ""; @@ -330,15 +341,21 @@ public: memcpy(_config.authenticationURL, url, strlen(url)); _config.authenticationURL[strlen(url)] = 0; return ret; +#else + return ""; +#endif } uint64_t getExpiryTime() { +#if OIDC_SUPPORTED if (_idc == nullptr) { fprintf(stderr, "idc is null\n"); return 0; } - return zeroidc::zeroidc_get_exp_time(_idc); +#else + return 0; +#endif } private: @@ -348,7 +365,9 @@ private: std::vector _managedIps; std::map< InetAddress, SharedPtr > _managedRoutes; OneService::NetworkSettings _settings; +#if OIDC_SUPPORTED zeroidc::ZeroIDC *_idc; +#endif }; namespace { @@ -1655,10 +1674,10 @@ public: scode = _controller->handleControlPlaneHttpGET(std::vector(ps.begin()+1,ps.end()),urlArgs,headers,body,responseBody,responseContentType); } else scode = 404; } - +#if OIDC_SUPPORTED } else if (ps[0] == "sso") { // SSO redirect handling - const char* state = zeroidc::zeroidc_get_url_param_value("state", path.c_str()); + const char* state = zeroidc::zeroidc_get_url_param_value("state", path.c_str()); const char* nwid = zeroidc::zeroidc_network_id_from_state(state); const uint64_t id = Utils::hexStrToU64(nwid); @@ -1710,6 +1729,7 @@ div.icon {\ } else { scode = 404; } +#endif } else { scode = 401; // isAuth == false && !sso } diff --git a/zeroidc/Cargo.lock b/zeroidc/Cargo.lock index 889142175..a967bd28d 100644 --- a/zeroidc/Cargo.lock +++ b/zeroidc/Cargo.lock @@ -28,12 +28,6 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" -[[package]] -name = "base64" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff" - [[package]] name = "base64" version = "0.13.0" @@ -55,6 +49,15 @@ dependencies = [ "generic-array", ] +[[package]] +name = "block-buffer" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1d36a02058e76b040de25a4464ba1c80935655595b661505c8b39b664828b95" +dependencies = [ + "generic-array", +] + [[package]] name = "bumpalo" version = "3.8.0" @@ -108,7 +111,6 @@ dependencies = [ "num-integer", "num-traits", "serde", - "time 0.1.43", "winapi", ] @@ -152,6 +154,15 @@ dependencies = [ "libc", ] +[[package]] +name = "crypto-common" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683d6b536309245c849479fba3da410962a43ed8e51c26b729208ec0ac2798d0" +dependencies = [ + "generic-array", +] + [[package]] name = "digest" version = "0.9.0" @@ -161,6 +172,18 @@ dependencies = [ "generic-array", ] +[[package]] +name = "digest" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b697d66081d42af4fba142d56918a3cb21dc8eb63372c6b85d14f44fb9c5979b" +dependencies = [ + "block-buffer 0.10.0", + "crypto-common", + "generic-array", + "subtle", +] + [[package]] name = "either" version = "1.6.1" @@ -322,6 +345,15 @@ dependencies = [ "libc", ] +[[package]] +name = "hmac" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddca131f3e7f2ce2df364b57949a9d47915cfbd35e46cfee355ccebbf794d6a2" +dependencies = [ + "digest 0.10.1", +] + [[package]] name = "http" version = "0.2.5" @@ -380,19 +412,6 @@ dependencies = [ "want", ] -[[package]] -name = "hyper-rustls" -version = "0.23.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac" -dependencies = [ - "http", - "hyper", - "rustls", - "tokio", - "tokio-rustls", -] - [[package]] name = "hyper-tls" version = "0.5.0" @@ -458,17 +477,18 @@ dependencies = [ ] [[package]] -name = "jsonwebtoken" -version = "7.2.0" +name = "jwt" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afabcc15e437a6484fc4f12d0fd63068fe457bf93f1c148d3d9649c60b103f32" +checksum = "6204285f77fe7d9784db3fdc449ecce1a0114927a51d5a41c4c7a292011c015f" dependencies = [ - "base64 0.12.3", - "pem", - "ring", + "base64", + "crypto-common", + "digest 0.10.1", + "hmac", "serde", "serde_json", - "simple_asn1", + "sha2 0.10.1", ] [[package]] @@ -559,17 +579,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "num-bigint" -version = "0.2.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304" -dependencies = [ - "autocfg", - "num-integer", - "num-traits", -] - [[package]] name = "num-bigint" version = "0.4.3" @@ -616,7 +625,7 @@ version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "80e47cfc4c0a1a519d9a025ebfbac3a2439d1b5cdf397d72dcb79b11d9920dab" dependencies = [ - "base64 0.13.0", + "base64", "chrono", "getrandom", "http", @@ -625,7 +634,7 @@ dependencies = [ "serde", "serde_json", "serde_path_to_error", - "sha2", + "sha2 0.9.8", "thiserror", "url", ] @@ -644,16 +653,16 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openidconnect" -version = "2.1.2" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d523cf32bdf7696f36bc4198a42c34b65f0227b97f2f501ebfbe016baa5bc52" +checksum = "f6db0c030c3036f53c7108668641151b244358d221303a17985b07ac9bb60091" dependencies = [ - "base64 0.13.0", + "base64", "chrono", "http", "itertools", "log", - "num-bigint 0.4.3", + "num-bigint", "oauth2", "rand", "ring", @@ -709,17 +718,6 @@ dependencies = [ "num-traits", ] -[[package]] -name = "pem" -version = "0.8.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd56cbd21fea48d0c440b41cd69c589faacade08c992d9a54e471b79d0fd13eb" -dependencies = [ - "base64 0.13.0", - "once_cell", - "regex", -] - [[package]] name = "percent-encoding" version = "2.1.0" @@ -817,21 +815,6 @@ dependencies = [ "bitflags", ] -[[package]] -name = "regex" -version = "1.5.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461" -dependencies = [ - "regex-syntax", -] - -[[package]] -name = "regex-syntax" -version = "0.6.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" - [[package]] name = "remove_dir_all" version = "0.5.3" @@ -847,7 +830,7 @@ version = "0.11.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07bea77bc708afa10e59905c3d4af7c8fd43c9214251673095ff8b14345fcbc5" dependencies = [ - "base64 0.13.0", + "base64", "bytes", "encoding_rs", "futures-core", @@ -855,7 +838,6 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-rustls", "hyper-tls", "ipnet", "js-sys", @@ -865,19 +847,15 @@ dependencies = [ "native-tls", "percent-encoding", "pin-project-lite", - "rustls", - "rustls-pemfile", "serde", "serde_json", "serde_urlencoded", "tokio", "tokio-native-tls", - "tokio-rustls", "url", "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots", "winreg", ] @@ -896,27 +874,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "rustls" -version = "0.20.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84" -dependencies = [ - "log", - "ring", - "sct", - "webpki 0.22.0", -] - -[[package]] -name = "rustls-pemfile" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" -dependencies = [ - "base64 0.13.0", -] - [[package]] name = "ryu" version = "1.0.5" @@ -933,16 +890,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "sct" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "security-framework" version = "2.4.2" @@ -1034,22 +981,22 @@ version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b69f9a4c9740d74c5baa3fd2e547f9525fa8088a8a958e0ca2409a514e33f5fa" dependencies = [ - "block-buffer", + "block-buffer 0.9.0", "cfg-if", "cpufeatures", - "digest", + "digest 0.9.0", "opaque-debug", ] [[package]] -name = "simple_asn1" -version = "0.4.1" +name = "sha2" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "692ca13de57ce0613a363c8c2f1de925adebc81b04c923ac60c5488bb44abe4b" +checksum = "99c3bd8169c58782adad9290a9af5939994036b76187f7b4f0e6de91dbbfc0ec" dependencies = [ - "chrono", - "num-bigint 0.2.6", - "num-traits", + "cfg-if", + "cpufeatures", + "digest 0.10.1", ] [[package]] @@ -1080,6 +1027,12 @@ version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" +[[package]] +name = "subtle" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" + [[package]] name = "syn" version = "1.0.81" @@ -1134,16 +1087,6 @@ dependencies = [ "syn", ] -[[package]] -name = "time" -version = "0.1.43" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438" -dependencies = [ - "libc", - "winapi", -] - [[package]] name = "time" version = "0.3.5" @@ -1195,17 +1138,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-rustls" -version = "0.23.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4baa378e417d780beff82bf54ceb0d195193ea6a00c14e22359e7f39456b5689" -dependencies = [ - "rustls", - "tokio", - "webpki 0.22.0", -] - [[package]] name = "tokio-util" version = "0.6.8" @@ -1429,35 +1361,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - -[[package]] -name = "webpki" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" -dependencies = [ - "ring", - "untrusted", -] - -[[package]] -name = "webpki-roots" -version = "0.21.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" -dependencies = [ - "webpki 0.21.4", -] - [[package]] name = "winapi" version = "0.3.9" @@ -1493,14 +1396,14 @@ dependencies = [ name = "zeroidc" version = "0.1.0" dependencies = [ - "base64 0.13.0", + "base64", "bytes", "cbindgen", - "jsonwebtoken", + "jwt", "openidconnect", "reqwest", "serde", "thiserror", - "time 0.3.5", + "time", "url", ] diff --git a/zeroidc/Cargo.toml b/zeroidc/Cargo.toml index e630bcb01..9b4449dd2 100644 --- a/zeroidc/Cargo.toml +++ b/zeroidc/Cargo.toml @@ -12,11 +12,11 @@ crate-type = ["staticlib","rlib"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -openidconnect = "2.1" +openidconnect = { version = "2.2", default-features = false, features = ["reqwest", "native-tls"] } base64 = "0.13" url = "2.2" reqwest = "0.11" -jsonwebtoken = "7.2" +jwt = "0.16" serde = "1.0" time = { version = "0.3", features = ["formatting"] } bytes = "1.1" diff --git a/zeroidc/src/ext.rs b/zeroidc/src/ext.rs index 361e7ab6e..cb3afb88b 100644 --- a/zeroidc/src/ext.rs +++ b/zeroidc/src/ext.rs @@ -16,6 +16,15 @@ use url::{Url}; use crate::ZeroIDC; +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_new( issuer: *const c_char, @@ -57,6 +66,15 @@ pub extern "C" fn zeroidc_new( } } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) { if ptr.is_null() { @@ -67,6 +85,15 @@ pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) { } } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) { let idc = unsafe { @@ -76,6 +103,15 @@ pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) { idc.start(); } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) { let idc = unsafe { @@ -85,6 +121,15 @@ pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) { idc.stop(); } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_is_running(ptr: *mut ZeroIDC) -> bool { let idc = unsafe { @@ -105,6 +150,15 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 { id.get_exp_time() } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_set_nonce_and_csrf( ptr: *mut ZeroIDC, @@ -137,6 +191,15 @@ pub extern "C" fn zeroidc_set_nonce_and_csrf( idc.set_nonce_and_csrf(csrf_token, nonce); } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *const c_char { if ptr.is_null() { @@ -151,6 +214,15 @@ pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *const c_char { return s.into_raw(); } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char ) -> *const c_char { if idc.is_null() { @@ -219,6 +291,15 @@ pub extern "C" fn zeroidc_network_id_from_state(state: *const c_char) -> *const return s.into_raw(); } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] #[no_mangle] pub extern "C" fn zeroidc_kick_refresh_thread(idc: *mut ZeroIDC) { if idc.is_null() { diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs index 579dad7d9..a5db2319f 100644 --- a/zeroidc/src/lib.rs +++ b/zeroidc/src/lib.rs @@ -22,11 +22,10 @@ extern crate url; use crate::error::ZeroIDCError; use bytes::Bytes; -use jsonwebtoken::{dangerous_insecure_decode}; +use jwt::{Token}; use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType}; use openidconnect::reqwest::http_client; use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse}; -use serde::{Deserialize, Serialize}; use std::str::from_utf8; use std::sync::{Arc, Mutex}; use std::thread::{sleep, spawn, JoinHandle}; @@ -36,10 +35,28 @@ use time::{OffsetDateTime, format_description}; use url::Url; +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] pub struct ZeroIDC { inner: Arc>, } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] struct Inner { running: bool, auth_endpoint: String, @@ -63,11 +80,6 @@ impl Inner { } } -#[derive(Debug, Serialize, Deserialize)] -struct Exp { - exp: u64 -} - fn csrf_func(csrf_token: String) -> Box CsrfToken> { return Box::new(move || CsrfToken::new(csrf_token.to_string())); } @@ -94,6 +106,15 @@ fn systemtime_strftime(dt: T, format: &str) -> String } } +#[cfg( + any( + all(target_os = "linux", target_arch = "x86"), + all(target_os = "linux", target_arch = "x86_64"), + all(target_os = "linux", target_arch = "aarch64"), + target_os = "windows", + target_os = "macos", + ) +)] impl ZeroIDC { pub fn new( issuer: &str, @@ -277,15 +298,20 @@ impl ZeroIDC { let access_token = res.access_token(); let at = access_token.secret(); - // yes this function is called `dangerous_insecure_decode` - // and it doesn't validate the jwt token signature, - // but if we've gotten this far, our claims have already - // been validated up above - let exp = dangerous_insecure_decode::(&at); + + let t: Result>, jwt::Error>= Token::parse_unverified(at); - if let Ok(e) = exp { - (*inner_local.lock().unwrap()).exp_time = e.claims.exp - } + if let Ok(t) = t { + let claims = t.claims().registered.clone(); + match claims.expiration { + Some(exp) => { + (*inner_local.lock().unwrap()).exp_time = exp; + }, + None => { + panic!("expiration is None. This shouldn't happen") + } + } + } (*inner_local.lock().unwrap()).access_token = Some(access_token.clone()); if let Some(t) = res.refresh_token() { @@ -543,11 +569,19 @@ impl ZeroIDC { let at = tok.access_token().secret(); - // see previous note about this function's use - let exp = dangerous_insecure_decode::(&at); - if let Ok(e) = exp { - i.exp_time = e.claims.exp - } + let t: Result>, jwt::Error>= Token::parse_unverified(at); + + if let Ok(t) = t { + let claims = t.claims().registered.clone(); + match claims.expiration { + Some(exp) => { + i.exp_time = exp; + }, + None => { + panic!("expiration is None. This shouldn't happen") + } + } + } i.access_token = Some(tok.access_token().clone()); if let Some(t) = tok.refresh_token() { @@ -599,4 +633,3 @@ impl ZeroIDC { }; } } -