`34378cc`

feat: integrate TLS with backwards compatibility

- Add tls.enabled config (default: false) for opt-in encryption
- Add per-neighbor tls override for mixed TLS/non-TLS environments
- Generate certificates on startup when TLS enabled
- Use TLS for server binding and outgoing connections based on config
- Print certificate fingerprint at startup for TOFU verification
- Clean up unused import warnings in network module

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 4 months ago

SHA: 34378cc01370f9935c07fdfb3ffa94c76235c008
Parents: ce63a95
Tree: c874474

5 changed files

Status	File	+	-
M	`hyprkvm-daemon/src/config/mod.rs`	16	1
M	`hyprkvm-daemon/src/main.rs`	69	5
M	`hyprkvm-daemon/src/network/mod.rs`	2	0
M	`hyprkvm-daemon/src/network/tls.rs`	2	0
M	`hyprkvm-daemon/src/network/transport.rs`	1	2

hyprkvm-daemon/src/config/mod.rsmodified

  #[derive(Debug, Clone, Serialize, Deserialize)]
  pub struct TlsConfig {
++    /// Enable TLS encryption (default: false for backwards compatibility)
++    #[serde(default)]
++    pub enabled: bool,
++
      /// Path to certificate file
      #[serde(default = "default_cert_path")]
      pub cert_path: String,
      /// Path to private key file
      #[serde(default = "default_key_path")]
      pub key_path: String,
++
++    /// Enable TOFU (Trust On First Use) for unknown peers
++    #[serde(default = "default_true")]
++    pub tofu: bool,
  }
  fn default_cert_path() -> String {
  impl Default for TlsConfig {
      fn default() -> Self {
          Self {
++            enabled: false, // Default to false for backwards compatibility
              cert_path: default_cert_path(),
              key_path: default_key_path(),
++            tofu: true,
          }
      }
  }
      /// Address (ip:port)
      pub address: SocketAddr,
--    /// Pre-trusted certificate fingerprint (optional)
++    /// Pre-trusted certificate fingerprint (optional, for TLS pinning)
++    #[serde(default, skip_serializing_if = "Option::is_none")]
      pub fingerprint: Option<String>,
++
++    /// Override TLS setting for this neighbor (uses global setting if None)
++    #[serde(default, skip_serializing_if = "Option::is_none")]
++    pub tls: Option<bool>,
  }
  #[derive(Debug, Clone, Serialize, Deserialize)]

hyprkvm-daemon/src/main.rsmodified

      let peers: Arc<RwLock<HashMap<Direction, network::FramedConnection>>> =
          Arc::new(RwLock::new(HashMap::new()));
++    // TLS setup (if enabled)
++    let tls_enabled = config.network.tls.enabled;
++    if tls_enabled {
++        info!("TLS is enabled, ensuring certificates exist...");
++        let cert_path = std::path::Path::new(&config.network.tls.cert_path);
++        let key_path = std::path::Path::new(&config.network.tls.key_path);
++
++        if let Err(e) = network::ensure_certificate(cert_path, key_path, &config.machines.self_name) {
++            anyhow::bail!("Failed to setup TLS certificates: {}", e);
++        }
++
++        // Print certificate fingerprint for users to share
++        match network::get_cert_fingerprint(cert_path) {
++            Ok(fp) => {
++                info!("Certificate fingerprint: {}", fp);
++                info!("Share this fingerprint with peers for secure verification");
++            }
++            Err(e) => {
++                tracing::warn!("Could not read certificate fingerprint: {}", e);
++            }
++        }
++    } else {
++        info!("TLS is disabled (plain TCP mode for backwards compatibility)");
++    }
++
      // Start network server
      let listen_addr: SocketAddr = format!("0.0.0.0:{}", config.network.listen_port).parse()?;
--    let server = network::Server::bind(listen_addr).await?;
++    let server = if tls_enabled {
--    info!("Listening for connections on {}", server.local_addr());
++        let cert_path = std::path::Path::new(&config.network.tls.cert_path);
++        let key_path = std::path::Path::new(&config.network.tls.key_path);
++        network::Server::bind_tls(listen_addr, cert_path, key_path).await?
++    } else {
++        network::Server::bind(listen_addr).await?
++    };
++    info!("Listening for connections on {} (TLS: {})", server.local_addr(), tls_enabled);
      // Spawn task to accept incoming connections
      let machine_name = config.machines.self_name.clone();
          let direction = neighbor.direction;
          let peers_clone = peers.clone();
          let machine_name = config.machines.self_name.clone();
++        let neighbor_name = neighbor.name.clone();
++
++        // Determine if TLS should be used for this neighbor
++        // Per-neighbor override takes precedence over global setting
++        let use_tls = neighbor.tls.unwrap_or(tls_enabled);
++        let fingerprint = neighbor.fingerprint.clone();
++        let tofu_enabled = config.network.tls.tofu;
          tokio::spawn(async move {
              loop {
+                     }
+                 }
--                tracing::debug!("Connecting to {} at {}...", direction, addr);
++                tracing::debug!("Connecting to {} at {} (TLS: {})...", direction, addr, use_tls);
--                match network::connect(addr).await {
++
++                // Connect with or without TLS
++                let conn_result = if use_tls {
++                    network::connect_tls(
++                        addr,
++                        &neighbor_name,
++                        fingerprint.as_deref(),
++                        tofu_enabled,
++                    ).await
++                } else {
++                    network::connect(addr).await
++                };
++
++                match conn_result {
                      Ok(mut conn) => {
                          // Send Hello
                          let hello = Message::Hello(HelloPayload {
                                  let peers_clone = peers.clone();
                                  let machine_name = config.machines.self_name.clone();
                                  let neighbor_name = n.name.clone();
++
++                                // Determine TLS settings for this neighbor
++                                let use_tls = n.tls.unwrap_or(tls_enabled);
++                                let fingerprint = n.fingerprint.clone();
++                                let tofu = config.network.tls.tofu;
++
                                  tokio::spawn(async move {
--                                    match network::connect(addr).await {
++                                    // Connect with or without TLS
++                                    let conn_result = if use_tls {
++                                        network::connect_tls(addr, &neighbor_name, fingerprint.as_deref(), tofu).await
++                                    } else {
++                                        network::connect(addr).await
++                                    };
++
++                                    match conn_result {
                                          Ok(mut conn) => {
                                              // Send Hello
                                              let hello = Message::Hello(HelloPayload {

hyprkvm-daemon/src/network/mod.rsmodified


 //!
 //! Handles peer-to-peer connections between HyprKVM instances.
 
+#![allow(unused_imports)]
+
 #[allow(dead_code)]
 pub mod known_hosts;
 #[allow(dead_code)]

hyprkvm-daemon/src/network/tls.rsmodified

  impl HyprkvmCertVerifier {
      /// Create verifier with pinned fingerprint
++    #[allow(dead_code)]
      pub fn with_fingerprint(fingerprint: Fingerprint) -> Self {
          Self {
              expected_fingerprint: Some(fingerprint),
      }
      /// Create verifier with TOFU enabled
++    #[allow(dead_code)]
      pub fn with_tofu() -> Self {
          Self {
              expected_fingerprint: None,

hyprkvm-daemon/src/network/transport.rsmodified

  use std::net::SocketAddr;
  use std::path::Path;
  use std::pin::Pin;
--use std::sync::Arc;
  use std::task::{Context, Poll};
  use bytes::{Buf, BufMut, BytesMut};
  use tokio::net::{TcpListener, TcpStream};
  use tokio_rustls::client::TlsStream as ClientTlsStream;
  use tokio_rustls::server::TlsStream as ServerTlsStream;
--use tokio_rustls::{TlsAcceptor, TlsConnector};
++use tokio_rustls::TlsAcceptor;
  use hyprkvm_common::protocol::Message;

`@@ -2,6 +2,8 @@`
2	//!	2	//!
3	//! Handles peer-to-peer connections between HyprKVM instances.	3	//! Handles peer-to-peer connections between HyprKVM instances.
4		4
		5	+#![allow(unused_imports)]
		6	+
5	#[allow(dead_code)]	7	#[allow(dead_code)]
6	pub mod known_hosts;	8	pub mod known_hosts;
7	#[allow(dead_code)]	9	#[allow(dead_code)]