Merge branch 'dev' of https://github.com/zerotier/zerotierone into dev

.drone.yml

@@ -0,0 +1,143 @@
+---
+kind: pipeline
+type: docker
+name: build 386
+
+clone:
+  depth: 1
+
+steps:
+  - name: build 386
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux 386 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build amd64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build amd64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux amd64 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build arm64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build arm64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux arm64 $${DRONE_COMMIT_SHA}
+
+platform:
+  os: linux
+  arch: arm64
+      
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build armv7
+
+platform:
+  os: linux
+  arch: arm64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build armv7
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux armv7 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build riscv64
+
+clone:
+  depth: 1
+
+steps:
+  - name: build riscv64
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux riscv64 $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build mips64le
+
+clone:
+  depth: 1
+
+steps:
+  - name: build mips64le
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux mips64le $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build ppc64le
+
+clone:
+  depth: 1
+
+steps:
+  - name: build ppc64le
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux ppc64le $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson
+
+---
+kind: pipeline
+type: docker
+name: build s390x
+
+clone:
+  depth: 1
+
+steps:
+  - name: build s390x
+    image: registry.sean.farm/honda-builder
+    commands:
+      - ./ci/scripts/build.sh linux s390x $${DRONE_COMMIT_SHA}
+
+image_pull_secrets:
+  - dockerconfigjson

ci/Dockerfile.sid

@@ -0,0 +1,7 @@
+FROM registry.sean.farm/sid-builder as stage
+COPY . .
+RUN /usr/bin/make -j 8
+
+FROM scratch AS export
+COPY --from=stage /zerotier-one .
+COPY --from=stage /zerotier-cli .

ci/scripts/build.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+export GOOS=$1
+export GOARCH=$2
+export VERSION=$3
+export DOCKER_BUILDKIT=1
+
+echo "nproc: $(nproc)"
+
+case $GOARCH in
+    armv5)
+        export ARCH=arm/v5
+        ;;
+    armv7)
+        export ARCH=arm/v7
+        ;;
+    arm64)
+        export ARCH=arm64/v8
+        ;;
+    *)
+        export ARCH=$GOARCH
+        ;;
+esac
+
+docker run --privileged --rm tonistiigi/binfmt --install all
+docker buildx build --platform ${GOOS}/${ARCH} -f ci/Dockerfile.sid --target export -t test . --output out/${GOOS}/${GOARCH}

debian/rules

@@ -7,7 +7,7 @@ CXXFLAGS=-O3 -fstack-protector-strong
 	dh $@ --with systemd
 
 override_dh_auto_build:
-	make -j`nproc`
+	make
 
 override_dh_systemd_start:
 	dh_systemd_start --restart-after-upgrade

include/ZeroTierOne.h

@@ -123,12 +123,12 @@ extern "C" {
 /**
  * Maximum number of pushed routes on a network
  */
-#define ZT_MAX_NETWORK_ROUTES 32
+#define ZT_MAX_NETWORK_ROUTES 128
 
 /**
  * Maximum number of statically assigned IP addresses per network endpoint using ZT address management (not DHCP)
  */
-#define ZT_MAX_ZT_ASSIGNED_ADDRESSES 16
+#define ZT_MAX_ZT_ASSIGNED_ADDRESSES 32
 
 /**
  * Maximum number of "specialists" on a network -- bridges, relays, etc.

make-linux.mk

@@ -41,12 +41,6 @@ else
 	override DEFS+=-DZT_USE_SYSTEM_NATPMP
 endif
 
-ifeq ($(ZT_DEBUG),1)
-	LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto
-else
-	LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto
-endif
-
 # Use bundled http-parser since distribution versions are NOT API-stable or compatible!
 # Trying to use dynamically linked libhttp-parser causes tons of compatibility problems.
 ONE_OBJS+=ext/http-parser/http_parser.o
@@ -122,6 +116,7 @@ ifeq ($(CC_MACH),x86_64)
 	ZT_USE_X64_ASM_ED25519=1
 	override CFLAGS+=-msse -msse2
 	override CXXFLAGS+=-msse -msse2
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),amd64)
 	ZT_ARCHITECTURE=2
@@ -129,6 +124,7 @@ ifeq ($(CC_MACH),amd64)
 	ZT_USE_X64_ASM_ED25519=1
 	override CFLAGS+=-msse -msse2
 	override CXXFLAGS+=-msse -msse2
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),powerpc64le)
 	ZT_ARCHITECTURE=8
@@ -150,15 +146,19 @@ ifeq ($(CC_MACH),e2k)
 endif
 ifeq ($(CC_MACH),i386)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i486)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i586)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),i686)
 	ZT_ARCHITECTURE=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),arm)
 	ZT_ARCHITECTURE=3
@@ -174,6 +174,7 @@ ifeq ($(CC_MACH),armhf)
 	ZT_ARCHITECTURE=3
 	override DEFS+=-DZT_NO_TYPE_PUNNING
 	ZT_USE_ARM32_NEON_ASM_CRYPTO=1
+	ZT_SSO_SUPPORTED=1
 endif
 ifeq ($(CC_MACH),armv6)
 	ZT_ARCHITECTURE=3
@@ -217,10 +218,12 @@ ifeq ($(CC_MACH),armv7ve)
 endif
 ifeq ($(CC_MACH),arm64)
 	ZT_ARCHITECTURE=4
+	ZT_SSO_SUPPORTED=1
 	override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align
 endif
 ifeq ($(CC_MACH),aarch64)
 	ZT_ARCHITECTURE=4
+	ZT_SSO_SUPPORTED=1
 	override DEFS+=-DZT_NO_TYPE_PUNNING -DZT_ARCH_ARM_HAS_NEON -march=armv8-a+crypto -mtune=generic -mstrict-align
 endif
 ifeq ($(CC_MACH),mipsel)
@@ -263,6 +266,14 @@ ifeq ($(ZT_IA32),1)
 	ZT_USE_X64_ASM_ED25519=0
 endif
 
+ifeq ($(ZT_SSO_SUPPORTED), 1)
+	ifeq ($(ZT_DEBUG),1)
+		LDLIBS+=zeroidc/target/debug/libzeroidc.a -ldl -lssl -lcrypto
+	else
+		LDLIBS+=zeroidc/target/release/libzeroidc.a -ldl -lssl -lcrypto
+	endif
+endif
+
 # Disable software updates by default on Linux since that is normally done with package management
 override DEFS+=-DZT_BUILD_PLATFORM=1 -DZT_BUILD_ARCHITECTURE=$(ZT_ARCHITECTURE) -DZT_SOFTWARE_UPDATE_DEFAULT="\"disable\""
 
@@ -371,8 +382,13 @@ debug:	FORCE
 	make ZT_DEBUG=1 one
 	make ZT_DEBUG=1 selftest
 
+ifeq ($(ZT_SSO_SUPPORTED), 1)
 zeroidc:	FORCE
-	cd zeroidc && cargo build $(RUSTFLAGS)
+#	export PATH=/root/.cargo/bin:$$PATH; cd zeroidc && cargo build -j1 $(RUSTFLAGS)
+	export PATH=/root/.cargo/bin:$$PATH; cd zeroidc && cargo build $(RUSTFLAGS)
+else
+zeroidc:
+endif
 
 # Note: keep the symlinks in /var/lib/zerotier-one to the binaries since these
 # provide backward compatibility with old releases where the binaries actually

node/Constants.hpp

@@ -50,9 +50,16 @@
 #define __UNIX_LIKE__
 #endif
 #include <endian.h>
+
+#if (defined(__amd64) || defined(__amd64__) || defined(__x86_64) || defined(__x86_64__) || defined(__AMD64) || defined(__AMD64__) || defined(_M_X64) || defined(__aarch64__))
+#define OIDC_SUPPORTED 1
+#else
+#define OIDC_SUPPORTED 0
+#endif
 #endif
 
 #ifdef __APPLE__
+#define OIDC_SUPPORTED 1
 #define likely(x) __builtin_expect((x),1)
 #define unlikely(x) __builtin_expect((x),0)
 #include <TargetConditionals.h>
@@ -66,6 +73,7 @@
 #endif
 
 #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__)
+#define OIDC_SUPPORTED 0
 #ifndef __UNIX_LIKE__
 #define __UNIX_LIKE__
 #endif
@@ -81,6 +89,7 @@
 #endif
 
 #if defined(_WIN32) || defined(_WIN64)
+#define OIDC_SUPPORTED 1
 #ifndef __WINDOWS__
 #define __WINDOWS__
 #endif

service/OneService.cpp

@@ -53,7 +53,9 @@
 #include "OneService.hpp"
 #include "SoftwareUpdater.hpp"
 
+#if OIDC_SUPPORTED
 #include <zeroidc.h>
+#endif
 
 #ifdef __WINDOWS__
 #include <winsock2.h>
@@ -154,7 +156,9 @@ public:
 	NetworkState() 
 		: _webPort(9993)
 		, _tap((EthernetTap *)0)
+#if OIDC_SUPPORTED
 		, _idc(nullptr)
+#endif
 	{
 		// Real defaults are in network 'up' code in network event handler
 		_settings.allowManaged = true;
@@ -169,11 +173,13 @@ public:
 		this->_managedRoutes.clear();
 		this->_tap.reset();
 
+#if OIDC_SUPPORTED
 		if (_idc) {
 			zeroidc::zeroidc_stop(_idc);
 			zeroidc::zeroidc_delete(_idc);
 			_idc = nullptr;
 		}
+#endif
 	}
 
 	void setWebPort(unsigned int port) {
@@ -251,6 +257,7 @@ public:
 
 		if (_config.ssoEnabled && _config.ssoVersion == 1) {
 			//  fprintf(stderr, "ssoEnabled for %s\n", nwid);
+#if OIDC_SUPPORTED
 			if (_idc == nullptr)
 			{
 				assert(_config.issuerURL != nullptr);
@@ -290,6 +297,7 @@ public:
 				// TODO: kick the refresh thread
 				zeroidc::zeroidc_kick_refresh_thread(_idc);
 			}
+#endif
 		}
 	}
 
@@ -306,14 +314,17 @@ public:
 	}
 
 	const char* getAuthURL() {
+#if OIDC_SUPPORTED
 		if (_idc != nullptr) {
 			return zeroidc::zeroidc_get_auth_url(_idc);
 		}
 		fprintf(stderr, "_idc is null\n");
+#endif
 		return "";
 	}
 
 	const char* doTokenExchange(const char *code) {
+#if OIDC_SUPPORTED
 		if (_idc == nullptr) {
 			fprintf(stderr, "ainfo or idc null\n");
 			return "";
@@ -330,15 +341,21 @@ public:
 		memcpy(_config.authenticationURL, url, strlen(url));
 		_config.authenticationURL[strlen(url)] = 0;
 		return ret;
+#else
+		return "";
+#endif
 	}
 
 	uint64_t getExpiryTime() {
+#if OIDC_SUPPORTED
 		if (_idc == nullptr) {
 			fprintf(stderr, "idc is null\n");
 			return 0;
 		}
-
 		return zeroidc::zeroidc_get_exp_time(_idc);
+#else
+		return 0;
+#endif
 	}
 
 private:
@@ -348,7 +365,9 @@ private:
 	std::vector<InetAddress> _managedIps;
 	std::map< InetAddress, SharedPtr<ManagedRoute> > _managedRoutes;
 	OneService::NetworkSettings _settings;
+#if OIDC_SUPPORTED
 	zeroidc::ZeroIDC *_idc;
+#endif
 };
 
 namespace {
@@ -1655,10 +1674,10 @@ public:
 						scode = _controller->handleControlPlaneHttpGET(std::vector<std::string>(ps.begin()+1,ps.end()),urlArgs,headers,body,responseBody,responseContentType);
 					} else scode = 404;
 				}
-
+#if OIDC_SUPPORTED
 			} else if (ps[0] == "sso") {
 				// SSO redirect handling
-				const char* state = zeroidc::zeroidc_get_url_param_value("state", path.c_str());
+								const char* state = zeroidc::zeroidc_get_url_param_value("state", path.c_str());
 				const char* nwid = zeroidc::zeroidc_network_id_from_state(state);
 				
 				const uint64_t id = Utils::hexStrToU64(nwid);
@@ -1710,6 +1729,7 @@ div.icon {\
 				} else {
 					scode = 404;
 				}
+#endif
 			} else {
 				scode = 401; // isAuth == false && !sso
 			}

zeroidc/Cargo.lock

@@ -28,12 +28,6 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
-[[package]]
-name = "base64"
-version = "0.12.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff"
-
 [[package]]
 name = "base64"
 version = "0.13.0"
@@ -55,6 +49,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "block-buffer"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1d36a02058e76b040de25a4464ba1c80935655595b661505c8b39b664828b95"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.8.0"
@@ -108,7 +111,6 @@ dependencies = [
  "num-integer",
  "num-traits",
  "serde",
- "time 0.1.43",
  "winapi",
 ]
 
@@ -152,6 +154,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "crypto-common"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "683d6b536309245c849479fba3da410962a43ed8e51c26b729208ec0ac2798d0"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "digest"
 version = "0.9.0"
@@ -161,6 +172,18 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "digest"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b697d66081d42af4fba142d56918a3cb21dc8eb63372c6b85d14f44fb9c5979b"
+dependencies = [
+ "block-buffer 0.10.0",
+ "crypto-common",
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "either"
 version = "1.6.1"
@@ -322,6 +345,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "hmac"
+version = "0.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddca131f3e7f2ce2df364b57949a9d47915cfbd35e46cfee355ccebbf794d6a2"
+dependencies = [
+ "digest 0.10.1",
+]
+
 [[package]]
 name = "http"
 version = "0.2.5"
@@ -380,19 +412,6 @@ dependencies = [
  "want",
 ]
 
-[[package]]
-name = "hyper-rustls"
-version = "0.23.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac"
-dependencies = [
- "http",
- "hyper",
- "rustls",
- "tokio",
- "tokio-rustls",
-]
-
 [[package]]
 name = "hyper-tls"
 version = "0.5.0"
@@ -458,17 +477,18 @@ dependencies = [
 ]
 
 [[package]]
-name = "jsonwebtoken"
-version = "7.2.0"
+name = "jwt"
+version = "0.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "afabcc15e437a6484fc4f12d0fd63068fe457bf93f1c148d3d9649c60b103f32"
+checksum = "6204285f77fe7d9784db3fdc449ecce1a0114927a51d5a41c4c7a292011c015f"
 dependencies = [
- "base64 0.12.3",
- "pem",
- "ring",
+ "base64",
+ "crypto-common",
+ "digest 0.10.1",
+ "hmac",
  "serde",
  "serde_json",
- "simple_asn1",
+ "sha2 0.10.1",
 ]
 
 [[package]]
@@ -559,17 +579,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "num-bigint"
-version = "0.2.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304"
-dependencies = [
- "autocfg",
- "num-integer",
- "num-traits",
-]
-
 [[package]]
 name = "num-bigint"
 version = "0.4.3"
@@ -616,7 +625,7 @@ version = "4.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "80e47cfc4c0a1a519d9a025ebfbac3a2439d1b5cdf397d72dcb79b11d9920dab"
 dependencies = [
- "base64 0.13.0",
+ "base64",
  "chrono",
  "getrandom",
  "http",
@@ -625,7 +634,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_path_to_error",
- "sha2",
+ "sha2 0.9.8",
  "thiserror",
  "url",
 ]
@@ -644,16 +653,16 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 
 [[package]]
 name = "openidconnect"
-version = "2.1.2"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d523cf32bdf7696f36bc4198a42c34b65f0227b97f2f501ebfbe016baa5bc52"
+checksum = "f6db0c030c3036f53c7108668641151b244358d221303a17985b07ac9bb60091"
 dependencies = [
- "base64 0.13.0",
+ "base64",
  "chrono",
  "http",
  "itertools",
  "log",
- "num-bigint 0.4.3",
+ "num-bigint",
  "oauth2",
  "rand",
  "ring",
@@ -709,17 +718,6 @@ dependencies = [
  "num-traits",
 ]
 
-[[package]]
-name = "pem"
-version = "0.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd56cbd21fea48d0c440b41cd69c589faacade08c992d9a54e471b79d0fd13eb"
-dependencies = [
- "base64 0.13.0",
- "once_cell",
- "regex",
-]
-
 [[package]]
 name = "percent-encoding"
 version = "2.1.0"
@@ -817,21 +815,6 @@ dependencies = [
  "bitflags",
 ]
 
-[[package]]
-name = "regex"
-version = "1.5.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
-dependencies = [
- "regex-syntax",
-]
-
-[[package]]
-name = "regex-syntax"
-version = "0.6.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
-
 [[package]]
 name = "remove_dir_all"
 version = "0.5.3"
@@ -847,7 +830,7 @@ version = "0.11.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "07bea77bc708afa10e59905c3d4af7c8fd43c9214251673095ff8b14345fcbc5"
 dependencies = [
- "base64 0.13.0",
+ "base64",
  "bytes",
  "encoding_rs",
  "futures-core",
@@ -855,7 +838,6 @@ dependencies = [
  "http",
  "http-body",
  "hyper",
- "hyper-rustls",
  "hyper-tls",
  "ipnet",
  "js-sys",
@@ -865,19 +847,15 @@ dependencies = [
  "native-tls",
  "percent-encoding",
  "pin-project-lite",
- "rustls",
- "rustls-pemfile",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "tokio",
  "tokio-native-tls",
- "tokio-rustls",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
- "webpki-roots",
  "winreg",
 ]
 
@@ -896,27 +874,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "rustls"
-version = "0.20.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84"
-dependencies = [
- "log",
- "ring",
- "sct",
- "webpki 0.22.0",
-]
-
-[[package]]
-name = "rustls-pemfile"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
-dependencies = [
- "base64 0.13.0",
-]
-
 [[package]]
 name = "ryu"
 version = "1.0.5"
@@ -933,16 +890,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "sct"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "security-framework"
 version = "2.4.2"
@@ -1034,22 +981,22 @@ version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b69f9a4c9740d74c5baa3fd2e547f9525fa8088a8a958e0ca2409a514e33f5fa"
 dependencies = [
- "block-buffer",
+ "block-buffer 0.9.0",
  "cfg-if",
  "cpufeatures",
- "digest",
+ "digest 0.9.0",
  "opaque-debug",
 ]
 
 [[package]]
-name = "simple_asn1"
-version = "0.4.1"
+name = "sha2"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "692ca13de57ce0613a363c8c2f1de925adebc81b04c923ac60c5488bb44abe4b"
+checksum = "99c3bd8169c58782adad9290a9af5939994036b76187f7b4f0e6de91dbbfc0ec"
 dependencies = [
- "chrono",
- "num-bigint 0.2.6",
- "num-traits",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.10.1",
 ]
 
 [[package]]
@@ -1080,6 +1027,12 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
 
+[[package]]
+name = "subtle"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
+
 [[package]]
 name = "syn"
 version = "1.0.81"
@@ -1134,16 +1087,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "time"
-version = "0.1.43"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
-dependencies = [
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "time"
 version = "0.3.5"
@@ -1195,17 +1138,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "tokio-rustls"
-version = "0.23.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4baa378e417d780beff82bf54ceb0d195193ea6a00c14e22359e7f39456b5689"
-dependencies = [
- "rustls",
- "tokio",
- "webpki 0.22.0",
-]
-
 [[package]]
 name = "tokio-util"
 version = "0.6.8"
@@ -1429,35 +1361,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "webpki"
-version = "0.21.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea"
-dependencies = [
- "ring",
- "untrusted",
-]
-
-[[package]]
-name = "webpki"
-version = "0.22.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
-dependencies = [
- "ring",
- "untrusted",
-]
-
-[[package]]
-name = "webpki-roots"
-version = "0.21.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940"
-dependencies = [
- "webpki 0.21.4",
-]
-
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -1493,14 +1396,14 @@ dependencies = [
 name = "zeroidc"
 version = "0.1.0"
 dependencies = [
- "base64 0.13.0",
+ "base64",
  "bytes",
  "cbindgen",
- "jsonwebtoken",
+ "jwt",
  "openidconnect",
  "reqwest",
  "serde",
  "thiserror",
- "time 0.3.5",
+ "time",
  "url",
 ]

zeroidc/Cargo.toml

@@ -12,11 +12,11 @@ crate-type = ["staticlib","rlib"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-openidconnect = "2.1"
+openidconnect = { version = "2.2", default-features = false, features = ["reqwest", "native-tls"] }
 base64 = "0.13"
 url = "2.2"
 reqwest = "0.11"
-jsonwebtoken = "7.2"
+jwt = "0.16"
 serde = "1.0"
 time = { version = "0.3", features = ["formatting"] }
 bytes = "1.1"

zeroidc/src/ext.rs

@@ -16,6 +16,15 @@ use url::{Url};
 
 use crate::ZeroIDC;
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_new(
     issuer: *const c_char,
@@ -57,6 +66,15 @@ pub extern "C" fn zeroidc_new(
     }
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) {
     if ptr.is_null() {
@@ -67,6 +85,15 @@ pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) {
     }
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) {
     let idc = unsafe {
@@ -76,6 +103,15 @@ pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) {
     idc.start();
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) {
     let idc = unsafe {
@@ -85,6 +121,15 @@ pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) {
     idc.stop();
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_is_running(ptr: *mut ZeroIDC) -> bool {
     let idc = unsafe {
@@ -105,6 +150,15 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 {
     id.get_exp_time()
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_set_nonce_and_csrf(
     ptr: *mut ZeroIDC,
@@ -137,6 +191,15 @@ pub extern "C" fn zeroidc_set_nonce_and_csrf(
     idc.set_nonce_and_csrf(csrf_token, nonce);
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *const c_char {
     if ptr.is_null() {
@@ -151,6 +214,15 @@ pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *const c_char {
     return s.into_raw();
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char ) -> *const c_char {
     if idc.is_null() {
@@ -219,6 +291,15 @@ pub extern "C" fn zeroidc_network_id_from_state(state: *const c_char) -> *const
     return s.into_raw();
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 #[no_mangle]
 pub extern "C" fn zeroidc_kick_refresh_thread(idc: *mut ZeroIDC) {
     if idc.is_null() {

zeroidc/src/lib.rs

@@ -22,11 +22,10 @@ extern crate url;
 use crate::error::ZeroIDCError;
 
 use bytes::Bytes;
-use jsonwebtoken::{dangerous_insecure_decode};
+use jwt::{Token};
 use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
 use openidconnect::reqwest::http_client;
 use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse};
-use serde::{Deserialize, Serialize};
 use std::str::from_utf8;
 use std::sync::{Arc, Mutex};
 use std::thread::{sleep, spawn, JoinHandle};
@@ -36,10 +35,28 @@ use time::{OffsetDateTime, format_description};
 
 use url::Url;
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 pub struct ZeroIDC {
     inner: Arc<Mutex<Inner>>,
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 struct Inner {
     running: bool,
     auth_endpoint: String,
@@ -63,11 +80,6 @@ impl Inner {
     }
 }
 
-#[derive(Debug, Serialize, Deserialize)]
-struct Exp {
-    exp: u64
-}
-
 fn csrf_func(csrf_token: String) -> Box<dyn Fn() -> CsrfToken> {
     return Box::new(move || CsrfToken::new(csrf_token.to_string()));
 }
@@ -94,6 +106,15 @@ fn systemtime_strftime<T>(dt: T, format: &str) -> String
     }
 }
 
+#[cfg(
+    any(
+        all(target_os = "linux", target_arch = "x86"),
+        all(target_os = "linux", target_arch = "x86_64"),
+        all(target_os = "linux", target_arch = "aarch64"),
+        target_os = "windows",
+        target_os = "macos",
+    )
+)]
 impl ZeroIDC {
     pub fn new(
         issuer: &str,
@@ -277,15 +298,20 @@ impl ZeroIDC {
 
                                                                 let access_token = res.access_token();
                                                                 let at = access_token.secret();
-                                                                // yes this function is called `dangerous_insecure_decode`
-                                                                // and it doesn't validate the jwt token signature, 
-                                                                // but if we've gotten this far, our claims have already
-                                                                // been validated up above
-                                                                let exp = dangerous_insecure_decode::<Exp>(&at);
+
+                                                                let t: Result<Token<jwt::Header, jwt::Claims, jwt::Unverified<'_>>, jwt::Error>= Token::parse_unverified(at);
                                                                 
-                                                                if let Ok(e) = exp {
-                                                                    (*inner_local.lock().unwrap()).exp_time = e.claims.exp
-                                                                }
+                                                                if let Ok(t) = t {
+                                                                    let claims = t.claims().registered.clone();
+                                                                    match claims.expiration {
+                                                                        Some(exp) => {
+                                                                            (*inner_local.lock().unwrap()).exp_time = exp;
+                                                                        },
+                                                                        None => {
+                                                                            panic!("expiration is None.  This shouldn't happen")
+                                                                        }
+                                                                    }
+                                                                }  
 
                                                                 (*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
                                                                 if let Some(t) = res.refresh_token() {
@@ -543,11 +569,19 @@ impl ZeroIDC {
 
                                 let at = tok.access_token().secret();
 
-                                // see previous note about this function's use
-                                let exp = dangerous_insecure_decode::<Exp>(&at);
-                                if let Ok(e) = exp {
-                                    i.exp_time = e.claims.exp
-                                }
+                                let t: Result<Token<jwt::Header, jwt::Claims, jwt::Unverified<'_>>, jwt::Error>= Token::parse_unverified(at);
+                                                                
+                                if let Ok(t) = t {
+                                    let claims = t.claims().registered.clone();
+                                    match claims.expiration {
+                                        Some(exp) => {
+                                            i.exp_time = exp;
+                                        },
+                                        None => {
+                                            panic!("expiration is None.  This shouldn't happen")
+                                        }
+                                    }
+                                } 
 
                                 i.access_token = Some(tok.access_token().clone());
                                 if let Some(t) = tok.refresh_token() {
@@ -599,4 +633,3 @@ impl ZeroIDC {
         };
     }
 }
-