feat: Integrate TLS on client and server side for secure connection

Add required crates rustls, tokio-rustls, webpki-roots and rustls-pemfile
Implement functions to handle tls accepter and connector on server and client side
Update serve config file to take file paths for fullchain.pem and privkey.pem
Implement functions on server side to parse pem files
Keep TLS optional on server side
On Client side try to upgrade server for 10 seconds and fallback to non tls server

Author: ByteMaster2003

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, ubuntu-22.04-arm64, macos-latest, windows-latest]
+        os: [ubuntu-latest, ubuntu-latest-arm64, macos-latest, windows-latest]
 
     steps:
       - name: Checkout

Cargo.lock

@@ -11,3 +11,5 @@ rsa = { version = "0.9.8", features = ["serde", "sha2"] }
 ssh-key = "0.6.7"
 hex = "0.4.3"
 bincode = "2.0.1"
+tokio-rustls = "0.26.2"
+rustls = "0.23.31"

Cargo.toml

@@ -19,3 +19,6 @@ ratatui = "0.29.0"
 color-eyre = "0.6.5"
 chrono = "0.4.41"
 tui-textarea = "0.7.0"
+tokio-rustls.workspace = true
+rustls.workspace = true
+webpki-roots = "1.0.2"

client/Cargo.toml

@@ -3,7 +3,7 @@ use null_talk_client::{
     handlers::handle_client,
     types::{LogLevel, LogMessage},
     ui::run_terminal,
-    utils::configure_client,
+    utils::{configure_client, try_tls_handshake},
 };
 use std::env;
 use tokio::net::TcpStream;
@@ -17,7 +17,7 @@ async fn main() {
 
     // Create TCP connection thread
     let tcp = tokio::spawn(async move {
-        let addr = {
+        let (addr, host_name) = {
             let config_lock = data::CLIENT_CONFIG.lock().await;
             let config = match config_lock.as_ref() {
                 Some(cfg) => cfg,
@@ -27,19 +27,52 @@ async fn main() {
                 }
             };
 
-            format!("{}:{}", &config.hostname, &config.port)
+            (
+                format!("{}:{}", &config.hostname, &config.port),
+                config.hostname.clone(),
+            )
         };
 
         match TcpStream::connect(addr.clone()).await {
             Ok(stream) => {
                 LogMessage::log(
                     LogLevel::INFO,
-                    format!("Successfully connected to {}", addr.clone()),
-                    5,
+                    format!("Establishing a secure TLS connection..."),
+                    0,
                 )
                 .await;
-
-                handle_client(Box::new(stream)).await;
+                let result = try_tls_handshake(host_name, stream).await;
+                match result {
+                    Some(tls_stream) => {
+                        LogMessage::log(
+                            LogLevel::INFO,
+                            format!("Successfully connected to {}", addr),
+                            5,
+                        )
+                        .await;
+                        handle_client(tls_stream).await;
+                    }
+                    None => match TcpStream::connect(addr.clone()).await {
+                        Ok(plain_stream) => {
+                            LogMessage::log(
+                                LogLevel::INFO,
+                                format!("Successfully connected to {}, TLS not enabled", addr),
+                                5,
+                            )
+                            .await;
+                            handle_client(Box::new(plain_stream)).await;
+                        }
+                        Err(_) => {
+                            LogMessage::log(
+                                LogLevel::ERROR,
+                                format!("Failed to connect to {}", addr),
+                                0,
+                            )
+                            .await;
+                            return;
+                        }
+                    },
+                };
             }
             Err(_) => {
                 LogMessage::log(LogLevel::ERROR, format!("Failed to connect to {}", addr), 0).await;

client/src/main.rs

@@ -1,12 +1,22 @@
-use crate::data::CLIENT_CONFIG;
+use crate::{
+    data::CLIENT_CONFIG,
+    types::{LogLevel, LogMessage},
+};
 use common::{
-    net::{HandshakePacket, StreamReader, StreamWriter},
+    net::{AsyncStream, HandshakePacket, StreamReader, StreamWriter},
     utils::{enc as encutils, net as netutils},
 };
 use rsa::RsaPrivateKey;
+use rustls::{ClientConfig, pki_types::ServerName};
+use std::sync::Arc;
+use tokio::{
+    net::TcpStream,
+    time::{Duration, timeout},
+};
+use tokio_rustls::TlsConnector;
 
 /// ### Perform the initial handshake with the server.
-/// 
+///
 /// This function handles the entire handshake process, including
 /// sending the initial handshake packet, receiving the server's
 /// response, and completing the handshake by establishing a
@@ -83,3 +93,58 @@ pub async fn perform_handshake(
 
     Ok(session_key)
 }
+
+pub async fn create_tls_connector() -> Result<TlsConnector, Box<dyn std::error::Error + Send + Sync>>
+{
+    // Load the root certificates from the webpki-roots crate
+    let mut root_store = rustls::RootCertStore::empty();
+    root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+
+    // Create the client configuration
+    let config = ClientConfig::builder()
+        .with_root_certificates(root_store)
+        .with_no_client_auth();
+
+    // Create the async TLS connector
+    let connector = TlsConnector::from(Arc::new(config));
+    Ok(connector)
+}
+
+pub async fn try_tls_handshake(
+    host_name: String,
+    stream: TcpStream,
+) -> Option<Box<dyn AsyncStream>> {
+    // Convert the hostname string to a ServerName
+    let domain = match ServerName::try_from(host_name) {
+        Ok(name) => name,
+        Err(_) => return None,
+    };
+
+    let tls_connector = match create_tls_connector().await {
+        Ok(connector) => connector,
+        Err(e) => {
+            LogMessage::log(
+                LogLevel::ERROR,
+                format!("Failed to create TLS connector: {}", e),
+                0,
+            )
+            .await;
+            return None;
+        }
+    };
+
+    let timeout_duration = Duration::from_secs(10); // 10-second timeout
+
+    // The handshake future
+    let handshake_future = tls_connector.connect(domain, stream);
+
+    // Apply the timeout
+    let result = timeout(timeout_duration, handshake_future).await;
+
+    let tls = match result {
+        Ok(Ok(tls)) => tls,
+        _ => return None,
+    };
+
+    Some(Box::new(tls))
+}

client/src/utils/net.rs

@@ -12,9 +12,9 @@ common = { path = "../common" }
 config.workspace = true
 hex.workspace = true
 rsa.workspace = true
-rustls = "0.23.31"
-rustls-pemfile = "2.2.0"
 serde = { workspace = true, features = ["derive"] }
 tokio = { workspace = true, features = ["full"] }
-tokio-rustls = "0.26.2"
 uuid = { version = "1.18.0", features = ["v4"] }
+rustls.workspace = true
+rustls-pemfile = "2.2.0"
+tokio-rustls.workspace = true

client/src/utils/tls.rs

@@ -1,7 +1,6 @@
-host = "0.0.0.0"
 port = 8080
 
-[tls]
-enabled = false
-cert_path = "/etc/letsencrypt/live/viveksahani.com/fullchain.pem"
-key_path = "/etc/letsencrypt/live/viveksahani.com/privkey.pem"
+# [tls]
+# enabled = false
+# cert_path = "/etc/letsencrypt/live/viveksahani.com/fullchain.pem"
+# key_path = "/etc/letsencrypt/live/viveksahani.com/privkey.pem"

server/Cargo.toml

@@ -4,21 +4,15 @@ use std::{env, error::Error, path::PathBuf};
 
 #[derive(Debug, Deserialize, Clone)]
 pub struct TLSConfig {
-    pub enabled: bool,
-    pub cert_path: Option<String>,
-    pub key_path: Option<String>,
+    pub cert_path: String,
+    pub key_path: String,
 }
 
 /// Configuration for the server
 #[derive(Debug, Deserialize, Clone)]
 pub struct ServerConfig {
-    /// Hostname or IP address of the server
-    pub host: String,
-
-    /// Port number for the server  
+    // pub domain: String,
     pub port: u16,
-
-    /// TLS configuration
     pub tls: Option<TLSConfig>
 }
 
@@ -52,6 +46,6 @@ impl ServerConfig {
 
     /// Get the server address as a string
     pub fn get_addr(&self) -> String {
-        format!("{}:{}", self.host, self.port)
+        format!("0.0.0.0:{}", self.port)
     }
 }