upgrade rustls

This commit is contained in:
crabman 2024-05-28 12:46:03 +00:00
parent 2c138fc0eb
commit a2ea012f43
No known key found for this signature in database
8 changed files with 206 additions and 91 deletions

190
Cargo.lock generated
View File

@ -212,7 +212,7 @@ version = "2.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7e7b35733e3a8c1ccb90385088dd5b6eaa61325cb4d1ad56e683b5224ff352e"
dependencies = [
"jni",
"jni 0.21.1",
"ndk-context",
"winapi",
"xdg",
@ -1259,7 +1259,7 @@ dependencies = [
"core-foundation-sys",
"coreaudio-rs",
"dasp_sample",
"jni",
"jni 0.21.1",
"js-sys",
"libc",
"mach2",
@ -2247,7 +2247,7 @@ dependencies = [
"futures-core",
"futures-sink",
"nanorand",
"spin 0.9.8",
"spin",
]
[[package]]
@ -2988,8 +2988,8 @@ dependencies = [
"http",
"hyper",
"log",
"rustls",
"rustls-native-certs",
"rustls 0.21.12",
"rustls-native-certs 0.6.3",
"tokio",
"tokio-rustls",
]
@ -3342,6 +3342,20 @@ dependencies = [
"cc",
]
[[package]]
name = "jni"
version = "0.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec"
dependencies = [
"cesu8",
"combine",
"jni-sys",
"log",
"thiserror",
"walkdir",
]
[[package]]
name = "jni"
version = "0.21.1"
@ -4410,7 +4424,7 @@ version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e8b61bebd49e5d43f5f8cc7ee2891c16e0f41ec7954d36bcb6c14c5e0de867fb"
dependencies = [
"jni",
"jni 0.21.1",
"ndk 0.8.0",
"ndk-context",
"num-derive",
@ -4918,16 +4932,16 @@ dependencies = [
[[package]]
name = "quinn"
version = "0.10.2"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8cc2c5017e4b43d5995dcea317bc46c1e09404c0a9664d2908f7f02dfe943d75"
checksum = "904e3d3ba178131798c6d9375db2b13b34337d489b089fc5ba0825a2ff1bee73"
dependencies = [
"bytes",
"pin-project-lite",
"quinn-proto",
"quinn-udp",
"rustc-hash",
"rustls",
"rustls 0.23.8",
"thiserror",
"tokio",
"tracing",
@ -4935,16 +4949,16 @@ dependencies = [
[[package]]
name = "quinn-proto"
version = "0.10.6"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "141bf7dfde2fbc246bfd3fe12f2455aa24b0fbd9af535d8c86c7bd1381ff2b1a"
checksum = "e974563a4b1c2206bbc61191ca4da9c22e4308b4c455e8906751cc7828393f08"
dependencies = [
"bytes",
"rand 0.8.5",
"ring 0.16.20",
"ring",
"rustc-hash",
"rustls",
"rustls-native-certs",
"rustls 0.23.8",
"rustls-platform-verifier",
"slab",
"thiserror",
"tinyvec",
@ -4953,15 +4967,15 @@ dependencies = [
[[package]]
name = "quinn-udp"
version = "0.4.1"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "055b4e778e8feb9f93c4e439f71dc2156ef13360b432b799e179a8c4cdf0b1d7"
checksum = "e4f0def2590301f4f667db5a77f9694fb004f82796dc1a8b1508fafa3d0e8b72"
dependencies = [
"bytes",
"libc",
"once_cell",
"socket2",
"tracing",
"windows-sys 0.48.0",
"windows-sys 0.52.0",
]
[[package]]
@ -5143,7 +5157,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
dependencies = [
"pem",
"ring 0.17.8",
"ring",
"rustls-pki-types",
"time",
"yasna",
@ -5304,21 +5318,6 @@ dependencies = [
"quick-error",
]
[[package]]
name = "ring"
version = "0.16.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
dependencies = [
"cc",
"libc",
"once_cell",
"spin 0.5.2",
"untrusted 0.7.1",
"web-sys",
"winapi",
]
[[package]]
name = "ring"
version = "0.17.8"
@ -5329,8 +5328,8 @@ dependencies = [
"cfg-if 1.0.0",
"getrandom 0.2.15",
"libc",
"spin 0.9.8",
"untrusted 0.9.0",
"spin",
"untrusted",
"windows-sys 0.52.0",
]
@ -5482,11 +5481,25 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
dependencies = [
"log",
"ring 0.17.8",
"rustls-webpki",
"ring",
"rustls-webpki 0.101.7",
"sct",
]
[[package]]
name = "rustls"
version = "0.23.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "79adb16721f56eb2d843e67676896a61ce7a0fa622dc18d3e372477a029d2740"
dependencies = [
"once_cell",
"ring",
"rustls-pki-types",
"rustls-webpki 0.102.4",
"subtle",
"zeroize",
]
[[package]]
name = "rustls-native-certs"
version = "0.6.3"
@ -5499,6 +5512,19 @@ dependencies = [
"security-framework",
]
[[package]]
name = "rustls-native-certs"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792"
dependencies = [
"openssl-probe",
"rustls-pemfile 2.1.2",
"rustls-pki-types",
"schannel",
"security-framework",
]
[[package]]
name = "rustls-pemfile"
version = "1.0.4"
@ -5524,14 +5550,52 @@ version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
[[package]]
name = "rustls-platform-verifier"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5f0d26fa1ce3c790f9590868f0109289a044acb954525f933e2aa3b871c157d"
dependencies = [
"core-foundation",
"core-foundation-sys",
"jni 0.19.0",
"log",
"once_cell",
"rustls 0.23.8",
"rustls-native-certs 0.7.0",
"rustls-platform-verifier-android",
"rustls-webpki 0.102.4",
"security-framework",
"security-framework-sys",
"webpki-roots",
"winapi",
]
[[package]]
name = "rustls-platform-verifier-android"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "84e217e7fdc8466b5b35d30f8c0a30febd29173df4a3a0c2115d306b9c4117ad"
[[package]]
name = "rustls-webpki"
version = "0.101.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
dependencies = [
"ring 0.17.8",
"untrusted 0.9.0",
"ring",
"untrusted",
]
[[package]]
name = "rustls-webpki"
version = "0.102.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff448f7e92e913c4b7d4c6d8e4540a1724b319b4152b8aef6d4cf8339712b33e"
dependencies = [
"ring",
"rustls-pki-types",
"untrusted",
]
[[package]]
@ -5640,8 +5704,8 @@ version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
dependencies = [
"ring 0.17.8",
"untrusted 0.9.0",
"ring",
"untrusted",
]
[[package]]
@ -5690,6 +5754,7 @@ dependencies = [
"core-foundation",
"core-foundation-sys",
"libc",
"num-bigint 0.4.5",
"security-framework-sys",
]
@ -6095,12 +6160,6 @@ dependencies = [
"syn 1.0.109",
]
[[package]]
name = "spin"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
[[package]]
name = "spin"
version = "0.9.8"
@ -6241,6 +6300,12 @@ dependencies = [
"syn 2.0.65",
]
[[package]]
name = "subtle"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
[[package]]
name = "sum_type"
version = "0.2.0"
@ -6525,7 +6590,7 @@ version = "0.24.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
dependencies = [
"rustls",
"rustls 0.21.12",
"tokio",
]
@ -6878,12 +6943,6 @@ version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
[[package]]
name = "untrusted"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]]
name = "untrusted"
version = "0.9.0"
@ -6977,7 +7036,7 @@ dependencies = [
"quinn",
"rayon",
"ron",
"rustls",
"rustls 0.23.8",
"rustyline",
"serde",
"specs",
@ -7211,7 +7270,7 @@ dependencies = [
"quinn",
"rand 0.8.5",
"rcgen",
"rustls",
"rustls 0.23.8",
"serde",
"shellexpand 3.1.0",
"socket2",
@ -7301,7 +7360,7 @@ dependencies = [
"refinery",
"ron",
"rusqlite",
"rustls",
"rustls 0.23.8",
"rustls-pemfile 2.1.2",
"schnellru",
"serde",
@ -8215,6 +8274,15 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "webpki-roots"
version = "0.26.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009"
dependencies = [
"rustls-pki-types",
]
[[package]]
name = "wfd"
version = "0.1.7"
@ -9011,6 +9079,12 @@ dependencies = [
"syn 2.0.65",
]
[[package]]
name = "zeroize"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
[[package]]
name = "zstd"
version = "0.13.1"

View File

@ -134,7 +134,7 @@ tokio = { version = "1.28", default-features = false, features = ["rt"] }
tracing = { version = "0.1" }
futures-util = { version = "0.3.7", default-features = false }
prometheus = { version = "0.13", default-features = false }
prometheus-hyper = "0.1.4"
prometheus-hyper = "0.1.5"
strum = { version = "0.24", features = ["derive"] }
enum-map = { version = "2.4" }
@ -161,9 +161,8 @@ async-trait = "0.1.42"
sha2 = "0.10"
hex = "0.4.3"
#TODO add features = ["std"] in 0.22
rustls = { version = "0.21", default-features = false }
quinn = { version = "0.10" }
rustls = { version = "0.23", default-features = false, features = ["std"] }
quinn = { version = "0.11" }
[patch.crates-io]
# until next specs release

View File

@ -38,7 +38,7 @@ network = { package = "veloren-network", path = "../network", features = [
byteorder = "1.3.2"
tokio = { workspace = true, features = ["rt-multi-thread"] }
quinn = { workspace = true, features = ["rustls"] }
rustls = { workspace = true, features = ["dangerous_configuration"] }
rustls = { workspace = true }
hickory-resolver = { version = "0.24.0", features = [
"system-config",
"tokio-runtime",

View File

@ -78,7 +78,7 @@ use image::DynamicImage;
use network::{ConnectAddr, Network, Participant, Pid, Stream};
use num::traits::FloatConst;
use rayon::prelude::*;
use rustls::client::ServerCertVerified;
use rustls::client::danger::ServerCertVerified;
use specs::Component;
use std::{
collections::{BTreeMap, VecDeque},
@ -86,7 +86,7 @@ use std::{
mem,
path::PathBuf,
sync::Arc,
time::{Duration, Instant, SystemTime},
time::{Duration, Instant},
};
use tokio::runtime::Runtime;
use tracing::{debug, error, trace, warn};
@ -352,34 +352,74 @@ async fn connect_quic(
validate_tls: bool,
) -> Result<network::Participant, crate::error::Error> {
let config = if validate_tls {
quinn::ClientConfig::with_native_roots()
quinn::ClientConfig::with_platform_verifier()
} else {
warn!(
"skipping validation of server identity. There is no guarantee that the server you're \
connected to is the one you expect to be connecting to."
);
#[derive(Debug)]
struct Verifier;
impl rustls::client::ServerCertVerifier for Verifier {
impl rustls::client::danger::ServerCertVerifier for Verifier {
fn verify_server_cert(
&self,
_: &rustls::Certificate,
_: &[rustls::Certificate],
_: &rustls::ServerName,
_: &mut dyn Iterator<Item = &[u8]>,
_: &[u8],
_: SystemTime,
_end_entity: &rustls::pki_types::CertificateDer<'_>,
_intermediates: &[rustls::pki_types::CertificateDer<'_>],
_server_name: &rustls::pki_types::ServerName<'_>,
_ocsp_response: &[u8],
_now: rustls::pki_types::UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
Ok(ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &rustls::pki_types::CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
{
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &rustls::pki_types::CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
{
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
vec![
rustls::SignatureScheme::RSA_PKCS1_SHA1,
rustls::SignatureScheme::ECDSA_SHA1_Legacy,
rustls::SignatureScheme::RSA_PKCS1_SHA256,
rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
rustls::SignatureScheme::RSA_PKCS1_SHA384,
rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
rustls::SignatureScheme::RSA_PKCS1_SHA512,
rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
rustls::SignatureScheme::RSA_PSS_SHA256,
rustls::SignatureScheme::RSA_PSS_SHA384,
rustls::SignatureScheme::RSA_PSS_SHA512,
rustls::SignatureScheme::ED25519,
rustls::SignatureScheme::ED448,
]
}
}
let mut cfg = rustls::ClientConfig::builder()
.with_safe_defaults()
.dangerous()
.with_custom_certificate_verifier(Arc::new(Verifier))
.with_no_client_auth();
cfg.enable_early_data = true;
quinn::ClientConfig::new(Arc::new(cfg))
quinn::ClientConfig::new(Arc::new(
quinn::crypto::rustls::QuicClientConfig::try_from(cfg).unwrap(),
))
};
addr::try_connect(network, &hostname, override_port, prefer_ipv6, |a| {

View File

@ -339,7 +339,7 @@ impl Protocols {
// a reverse DNS lookup
let connect_addr = ConnectAddr::Quic(
addr,
quinn::ClientConfig::with_native_roots(),
quinn::ClientConfig::with_platform_verifier(),
"TODO_remote_hostname".to_string(),
);
let _ = c2s_protocol_s.send((quic, connect_addr, cid));

View File

@ -1,4 +1,5 @@
use lazy_static::*;
use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
use std::{
net::{Ipv4Addr, SocketAddr},
sync::{
@ -108,15 +109,16 @@ pub fn quic() -> (ListenAddr, ConnectAddr) {
let key = cert.key_pair.serialize_der();
let cert = cert.cert.der();
let key = rustls::PrivateKey(key);
let cert = rustls::Certificate((*cert).to_vec());
let key = PrivateKeyDer::from(PrivatePkcs8KeyDer::from(key));
let mut root_store = rustls::RootCertStore::empty();
root_store.add(&cert).expect("cannot add cert to rootstore");
root_store
.add(cert.clone())
.expect("cannot add cert to rootstore");
let server_config = quinn::ServerConfig::with_single_cert(vec![cert], key)
let server_config = quinn::ServerConfig::with_single_cert(vec![cert.clone()], key)
.expect("Server Config Cert/Key failed");
let client_config = quinn::ClientConfig::with_root_certificates(root_store);
let client_config = quinn::ClientConfig::with_root_certificates(Arc::new(root_store)).unwrap();
use std::net::IpAddr;
(
ListenAddr::Quic(

View File

@ -58,4 +58,4 @@ prometheus = { workspace = true }
chrono = { workspace = true }
[target.'cfg(windows)'.dependencies]
mimalloc = "0.1.29"
mimalloc = "0.1.29"

View File

@ -111,6 +111,7 @@ use persistence::{
character_updater::CharacterUpdater,
};
use prometheus::Registry;
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
use specs::{
shred::SendDispatcher, Builder, Entity as EcsEntity, Entity, Join, LendJoin, WorldExt,
};
@ -549,14 +550,14 @@ impl Server {
match || -> Result<_, Box<dyn std::error::Error>> {
let key = fs::read(key_file_path)?;
let key = if key_file_path.extension().map_or(false, |x| x == "der") {
rustls::PrivateKey(key)
PrivateKeyDer::try_from(key).map_err(|_| "No valid pem key in file")?
} else {
debug!("convert pem key to der");
let key = rustls_pemfile::read_all(&mut key.as_slice())
rustls_pemfile::read_all(&mut key.as_slice())
.find_map(|item| match item {
Ok(Item::Pkcs1Key(v)) => Some(v.secret_pkcs1_der().into()),
Ok(Item::Pkcs8Key(v)) => Some(v.secret_pkcs8_der().into()),
Ok(Item::Sec1Key(_)) => None,
Ok(Item::Pkcs1Key(v)) => Some(PrivateKeyDer::Pkcs1(v)),
Ok(Item::Pkcs8Key(v)) => Some(PrivateKeyDer::Pkcs8(v)),
Ok(Item::Sec1Key(v)) => Some(PrivateKeyDer::Sec1(v)),
Ok(Item::Crl(_)) => None,
Ok(Item::Csr(_)) => None,
Ok(Item::X509Certificate(_)) => None,
@ -566,18 +567,17 @@ impl Server {
None
},
})
.ok_or("No valid pem key in file")?;
rustls::PrivateKey(key)
.ok_or("No valid pem key in file")?
};
let cert_chain = fs::read(cert_file_path)?;
let cert_chain = if cert_file_path.extension().map_or(false, |x| x == "der")
{
vec![rustls::Certificate(cert_chain)]
vec![CertificateDer::from(cert_chain)]
} else {
debug!("convert pem cert to der");
rustls_pemfile::certs(&mut cert_chain.as_slice())
.filter_map(|item| match item {
Ok(cert) => Some(rustls::Certificate(cert.to_vec())),
Ok(cert) => Some(cert),
Err(e) => {
tracing::warn!(?e, "error while reading cert_file");
None