bump ldap3 fork, initialise aws_lc_rs with single function for ldap and direct tls

Signed-off-by: June Strawberry <june@vern.cc>
2025-12-19 23:18:55 -05:00
parent 7115fb2796
commit 6455ef72cd
7 changed files with 41 additions and 24 deletions
--- a/src/router/serve/mod.rs
+++ b/src/router/serve/mod.rs
@@ -32,6 +32,8 @@ pub(super) async fn serve(
 	if cfg!(unix) && config.unix_socket_path.is_some() {
 		unix::serve(server, app, shutdown).await
 	} else if config.tls.certs.is_some() {
+		#[cfg(feature = "direct_tls")]
+		services.globals.init_rustls_provider()?;
 		#[cfg(feature = "direct_tls")]
 		return tls::serve(server, app, handle, addrs).await;

--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@@ -27,12 +27,6 @@ pub(super) async fn serve(
 		.as_ref()
 		.ok_or_else(|| err!(Config("tls.key", "Missing required value in tls config section")))?;

-	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
-	// without this, TLS mode will panic.
-	rustls::crypto::aws_lc_rs::default_provider()
-		.install_default()
-		.expect("failed to initialise aws-lc-rs rustls crypto provider");
-
 	info!(
 		"Note: It is strongly recommended that you use a reverse proxy instead of running \
 		 tuwunel directly with TLS."
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@@ -107,6 +107,7 @@ rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
 ruma.workspace = true
+rustls.workspace = true
 rustyline-async.workspace = true
 rustyline-async.optional = true
 serde_json.workspace = true
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -4,7 +4,7 @@ use std::{collections::HashSet, ops::Range, sync::Arc};

 use data::Data;
 use ruma::{OwnedUserId, RoomAliasId, ServerName, UserId};
-use tuwunel_core::{Result, Server, error};
+use tuwunel_core::{Result, Server, err, error};

 use crate::service;

@@ -130,4 +130,16 @@ impl Service {

 		tokens
 	}
+
+	pub fn init_rustls_provider(&self) -> Result {
+		if rustls::crypto::CryptoProvider::get_default().is_none() {
+			rustls::crypto::aws_lc_rs::default_provider()
+				.install_default()
+				.map_err(|_provider| {
+					err!(error!("Error initialising aws_lc_rs rustls crypto backend"))
+				})
+		} else {
+			Ok(())
+		}
+	}
 }
--- a/src/service/users/ldap.rs
+++ b/src/service/users/ldap.rs
@@ -21,6 +21,10 @@ pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>>
 		.as_ref()
 		.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;

+	if uri.scheme().starts_with("ldaps") {
+		self.services.globals.init_rustls_provider()?;
+	}
+
 	debug!(?uri, "LDAP creating connection...");
 	let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
 		.await
@@ -122,6 +126,10 @@ pub async fn auth_ldap(&self, user_dn: &str, password: &str) -> Result {
 		.as_ref()
 		.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;

+	if uri.scheme().starts_with("ldaps") {
+		self.services.globals.init_rustls_provider()?;
+	}
+
 	debug!(?uri, "LDAP creating connection...");
 	let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
 		.await