Transport Layer with custom Authentication and Encryption

[FrankReh]

I'm looking to integrate a custom encryption layer directly into or over the transport layer of a Tonic gRPC setup, essentially wrapping the Tokio TcpStream.

I don't want to use TLS, but practically, I guess I'm asking how to go about creating a transport like the one provided but with TLS (and rustls) replaced by a custom one.

Once a Tokio TCP connection is established, before the usual gRPC communication begins, the client would send a handshake and the server would respond with its own, and they would have established a common symmetric cipher (a lot like TLS I think). Following this, all communications would be encrypted on the wire.

The cipher comes from the aes-gcm crate and requires the notion of datagrams, so the TCP stream needs to be framed so that datagrams can be presented to the cipher.decrypt step. The cipher allows a decrypt_in_place but the resulting slice has a lifetime tied to the original byte slice, so depending on the API of the upper layers, that may be practical to use or not.

I could implement length-prefix framing over the Tokio TcpStream but perhaps the Tonic/HTTP2 has to do this already, and there is a spot where the data can be encrypted on egress and decrypted on ingress?

I wonder about the tonic::client::Grpc builder options send_compressed and accept_compressed, but don't know if they compress everything except the framing, and I don't know how to slip in the handshake step before Grpc takes over either.

I see a 'transport' feature in Tonic with an optional rustls TLS ability. But I don't see a layer that lets me replace just the TLS portion. Is my best bet to read through the transport code and the code that uses it, to see how a new transport module could be written with TLS replaced?

Thank you.

[FrankReh]

Maybe connect_with_connector is what I was looking for.

There are mock and uds examples that use it.

Then serve_with_incoming is the other half.

If this is the API, it seems reasonable but it means I have to add my own framing so have to build a mechanism that buffers on the receive side until a full frame is read.

Maybe someone will have a better idea?