Christian Nennemann
6b8b61c6ae
Delivery sequence numbers (MLS epoch ordering fix):
- schemas/node.capnp: add Envelope{seq,data} struct; enqueue returns seq:UInt64;
fetch/fetchWait return List(Envelope) instead of List(Data)
- storage.rs: Store trait enqueue returns u64; fetch/fetch_limited return
Vec<(u64, Vec<u8>)>; FileBackedStore gains QueueMapV3 with per-inbox seq
counters and V2→V3 on-disk migration
- migrations/002_add_seq.sql: seq column, delivery_seq_counters table, index
- sql_store.rs: atomic UPSERT counter via RETURNING, ORDER BY seq, SCHEMA_VERSION→3
- node_service/delivery.rs: builds Envelope list; returns seq from enqueue
- client/rpc.rs: enqueue→u64, fetch_all/fetch_wait→Vec<(u64,Vec<u8>)>
- client/commands.rs: sort-by-seq before MLS processing; retry loop in cmd_recv
and receive_pending_plaintexts for correct epoch ordering
Server refactor:
- Split monolithic main.rs into node_service/{mod,delivery,auth_ops,key_ops,p2p_ops}
- Add auth.rs (token validation, rate limiting), config.rs, metrics.rs, tls.rs
- Add SQL migrations runner (001_initial.sql, 002_add_seq.sql)
- OPAQUE PAKE login/registration, sealed-sender mode, queue depth limit (1000)
Client refactor:
- Split lib.rs into client/{commands,rpc,state,retry,hex,mod}
- Add cmd_whoami, cmd_health, cmd_check_key, cmd_ping subcommands
- Add cmd_register_user, cmd_login (OPAQUE), cmd_refresh_keypackage
- Hybrid PQ envelope (X25519 + ML-KEM-768) on all send/recv paths
- E2E test suite expanded
Other:
- quicnprotochat-gui: Tauri 2 desktop GUI skeleton (backend + HTML UI)
- quicnprotochat-p2p: iroh-based P2P transport stub
- quicnprotochat-core: app_message, hybrid_crypto modules; GroupMember API updates
- .github/workflows/size-lint.yml: binary size regression check
- docs: protocol comparison, roadmap updates, fully-operational checklist
73 lines
2.4 KiB
Rust
73 lines
2.4 KiB
Rust
use std::path::PathBuf;
|
|
|
|
use anyhow::Context;
|
|
use quinn::ServerConfig;
|
|
use quinn_proto::crypto::rustls::QuicServerConfig;
|
|
use rcgen::generate_simple_self_signed;
|
|
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
|
use rustls::version::TLS13;
|
|
|
|
/// Ensure a self-signed certificate exists on disk and return a QUIC server config.
|
|
/// When `production` is true, cert and key must already exist (no auto-generation).
|
|
pub fn build_server_config(
|
|
cert_path: &PathBuf,
|
|
key_path: &PathBuf,
|
|
production: bool,
|
|
) -> anyhow::Result<ServerConfig> {
|
|
if !cert_path.exists() || !key_path.exists() {
|
|
if production {
|
|
anyhow::bail!(
|
|
"TLS cert or key missing at {:?} / {:?}; production mode forbids auto-generation",
|
|
cert_path,
|
|
key_path
|
|
);
|
|
}
|
|
generate_self_signed_cert(cert_path, key_path)?;
|
|
}
|
|
|
|
let cert_bytes = std::fs::read(cert_path).context("read cert")?;
|
|
let key_bytes = std::fs::read(key_path).context("read key")?;
|
|
|
|
let cert_chain = vec![CertificateDer::from(cert_bytes)];
|
|
let key = PrivateKeyDer::try_from(key_bytes).map_err(|_| anyhow::anyhow!("invalid key"))?;
|
|
|
|
let mut tls = rustls::ServerConfig::builder_with_protocol_versions(&[&TLS13])
|
|
.with_no_client_auth()
|
|
.with_single_cert(cert_chain, key)?;
|
|
tls.alpn_protocols = vec![b"capnp".to_vec()];
|
|
|
|
let crypto = QuicServerConfig::try_from(tls)
|
|
.map_err(|e| anyhow::anyhow!("invalid server TLS config: {e}"))?;
|
|
|
|
Ok(ServerConfig::with_crypto(std::sync::Arc::new(crypto)))
|
|
}
|
|
|
|
fn generate_self_signed_cert(cert_path: &PathBuf, key_path: &PathBuf) -> anyhow::Result<()> {
|
|
if let Some(parent) = cert_path.parent() {
|
|
std::fs::create_dir_all(parent).context("create cert dir")?;
|
|
}
|
|
if let Some(parent) = key_path.parent() {
|
|
std::fs::create_dir_all(parent).context("create key dir")?;
|
|
}
|
|
|
|
let subject_alt_names = vec![
|
|
"localhost".to_string(),
|
|
"127.0.0.1".to_string(),
|
|
"::1".to_string(),
|
|
];
|
|
|
|
let issued = generate_simple_self_signed(subject_alt_names)?;
|
|
let key_der = issued.key_pair.serialize_der();
|
|
|
|
std::fs::write(cert_path, issued.cert.der()).context("write cert")?;
|
|
std::fs::write(key_path, &key_der).context("write key")?;
|
|
|
|
tracing::info!(
|
|
cert = %cert_path.display(),
|
|
key = %key_path.display(),
|
|
"generated self-signed TLS certificate"
|
|
);
|
|
|
|
Ok(())
|
|
}
|