From b03d0dcc7b9e51dbf64ed272d660dbfcc81b4002 Mon Sep 17 00:00:00 2001 From: Laura Date: Wed, 23 Aug 2023 06:35:36 +0200 Subject: [PATCH] Upgrade rustls and quinn According to RUSTSEC-2023-0052 we need to upgrade rustls to 0.21 to get a fix for the issue which may or may not affect Veloren since it's about client certificates but with the absence of a PoC it seems like a good idea to upgrade anyway, just to be sure. webpki has gone unmaintained (which rustls 0.20 depends on), starting with rustls 0.21 it depends on rustls-webpki which contains a fix for the issue. Since quinn also depends on rustls 0.20 in 0.8 and 0.9 versions, we needed to upgrade it to 0.10 so that it depends on rustls 0.21 which we now use. --- Cargo.lock | 87 ++++++++++++++++++------------------------ client/Cargo.toml | 2 +- network/Cargo.toml | 4 +- network/src/channel.rs | 26 +++++-------- server/Cargo.toml | 4 +- 5 files changed, 51 insertions(+), 72 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a1b10639c3..b67444373b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2964,7 +2964,7 @@ dependencies = [ "rustls-native-certs 0.5.0", "tokio", "tokio-rustls", - "webpki 0.21.4", + "webpki", ] [[package]] @@ -4856,55 +4856,50 @@ dependencies = [ [[package]] name = "quinn" -version = "0.8.5" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b435e71d9bfa0d8889927231970c51fb89c58fa63bffcab117c9c7a41e5ef8f" +checksum = "8cc2c5017e4b43d5995dcea317bc46c1e09404c0a9664d2908f7f02dfe943d75" dependencies = [ "bytes", - "futures-channel", - "futures-util", - "fxhash", + "pin-project-lite", "quinn-proto", "quinn-udp", - "rustls 0.20.8", + "rustc-hash", + "rustls 0.21.6", "thiserror", "tokio", "tracing", - "webpki 0.22.0", ] [[package]] name = "quinn-proto" -version = "0.8.4" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fce546b9688f767a57530652488420d419a8b1f44a478b451c3d1ab6d992a55" +checksum = "b83c2a964b8b68e6c9c616f09b735b436a78843704fa6979a076073e622f69dc" dependencies = [ "bytes", - "fxhash", "rand 0.8.5", "ring", - "rustls 0.20.8", + "rustc-hash", + "rustls 0.21.6", "rustls-native-certs 0.6.2", - "rustls-pemfile 0.2.1", "slab", "thiserror", "tinyvec", "tracing", - "webpki 0.22.0", ] [[package]] name = "quinn-udp" -version = "0.1.4" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b07946277141531aea269befd949ed16b2c85a780ba1043244eda0969e538e54" +checksum = "055b4e778e8feb9f93c4e439f71dc2156ef13360b432b799e179a8c4cdf0b1d7" dependencies = [ - "futures-util", + "bytes", "libc", - "quinn-proto", - "socket2 0.4.9", - "tokio", + "socket2 0.5.2", "tracing", + "windows-sys 0.48.0", ] [[package]] @@ -5454,19 +5449,19 @@ dependencies = [ "log", "ring", "sct 0.6.1", - "webpki 0.21.4", + "webpki", ] [[package]] name = "rustls" -version = "0.20.8" +version = "0.21.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f" +checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb" dependencies = [ "log", "ring", + "rustls-webpki", "sct 0.7.0", - "webpki 0.22.0", ] [[package]] @@ -5488,20 +5483,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50" dependencies = [ "openssl-probe", - "rustls-pemfile 1.0.2", + "rustls-pemfile", "schannel", "security-framework", ] -[[package]] -name = "rustls-pemfile" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" -dependencies = [ - "base64 0.13.1", -] - [[package]] name = "rustls-pemfile" version = "1.0.2" @@ -5511,6 +5497,16 @@ dependencies = [ "base64 0.21.0", ] +[[package]] +name = "rustls-webpki" +version = "0.101.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rusttype" version = "0.7.9" @@ -6537,9 +6533,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.28.0" +version = "1.28.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3c786bf8134e5a3a166db9b29ab8f48134739014a3eca7bc6bfa95d673b136f" +checksum = "94d7b1cfd2aa4011f2de74c2c4c63665e27a71006b0a192dcd2710272e73dfa2" dependencies = [ "autocfg", "bytes", @@ -6572,7 +6568,7 @@ checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" dependencies = [ "rustls 0.19.1", "tokio", - "webpki 0.21.4", + "webpki", ] [[package]] @@ -6656,6 +6652,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" dependencies = [ "cfg-if 1.0.0", + "log", "pin-project-lite", "tracing-attributes", "tracing-core", @@ -7233,7 +7230,7 @@ dependencies = [ "quinn", "rand 0.8.5", "rcgen", - "rustls 0.20.8", + "rustls 0.21.6", "serde", "shellexpand", "socket2 0.5.2", @@ -7343,8 +7340,8 @@ dependencies = [ "refinery", "ron 0.8.0", "rusqlite", - "rustls 0.20.8", - "rustls-pemfile 1.0.2", + "rustls 0.21.6", + "rustls-pemfile", "schnellru", "serde", "serde_json", @@ -8136,16 +8133,6 @@ dependencies = [ "untrusted", ] -[[package]] -name = "webpki" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "wfd" version = "0.1.7" diff --git a/client/Cargo.toml b/client/Cargo.toml index 53c6720259..155e139c08 100644 --- a/client/Cargo.toml +++ b/client/Cargo.toml @@ -23,7 +23,7 @@ network = { package = "veloren-network", path = "../network", features = ["compr byteorder = "1.3.2" tokio = { workspace = true, features = ["rt-multi-thread"] } -quinn = "0.8" +quinn = "0.10" image = { workspace = true } num = { workspace = true } tracing = { workspace = true } diff --git a/network/Cargo.toml b/network/Cargo.toml index 49e552af6c..e1749ec61d 100644 --- a/network/Cargo.toml +++ b/network/Cargo.toml @@ -37,8 +37,8 @@ async-channel = "1.6" #use for .close() channels lazy_static = { workspace = true } rand = { workspace = true } #quic support -quinn = { version = "0.8", optional = true } -rustls = "0.20.1" +quinn = { version = "0.10", optional = true } +rustls = "0.21" #stream flags bitflags = { workspace = true } lz-fear = { version = "0.1.1", optional = true } diff --git a/network/src/channel.rs b/network/src/channel.rs index a1a1a34ad2..74715d2a0d 100644 --- a/network/src/channel.rs +++ b/network/src/channel.rs @@ -2,8 +2,6 @@ use crate::api::{ConnectAddr, NetworkConnectError}; use async_trait::async_trait; use bytes::BytesMut; use futures_util::FutureExt; -#[cfg(feature = "quic")] -use futures_util::StreamExt; use hashbrown::HashMap; use network_protocol::{ Bandwidth, Cid, InitProtocolError, MpscMsg, MpscRecvProtocol, MpscSendProtocol, Pid, @@ -313,15 +311,12 @@ impl Protocols { s2s_stop_listening_r: oneshot::Receiver<()>, c2s_protocol_s: mpsc::UnboundedSender, ) -> io::Result<()> { - let (_endpoint, mut listener) = match quinn::Endpoint::server(server_config, addr) { - Ok(v) => v, - Err(e) => return Err(e), - }; + let endpoint = quinn::Endpoint::server(server_config, addr)?; trace!(?addr, "Quic Listener bound"); let mut end_receiver = s2s_stop_listening_r.fuse(); tokio::spawn(async move { while let Some(Some(connecting)) = select! { - next = listener.next().fuse() => Some(next), + next = endpoint.accept().fuse() => Some(next), _ = &mut end_receiver => None, } { let remote_addr = anonymize_addr(&connecting.remote_address()); @@ -361,25 +356,24 @@ impl Protocols { #[cfg(feature = "quic")] pub(crate) async fn new_quic( - mut connection: quinn::NewConnection, + connection: quinn::Connection, listen: bool, metrics: ProtocolMetricCache, ) -> Result { let (sendstream, recvstream) = if listen { - connection.connection.open_bi().await? + connection.open_bi().await? } else { connection - .bi_streams - .next() + .accept_bi() .await - .ok_or(quinn::ConnectionError::LocallyClosed)?? + .or(Err(quinn::ConnectionError::LocallyClosed))? }; let (recvstreams_s, recvstreams_r) = mpsc::unbounded_channel(); let streams_s_clone = recvstreams_s.clone(); let (sendstreams_s, sendstreams_r) = mpsc::unbounded_channel(); let sp = QuicSendProtocol::new( QuicDrain { - con: connection.connection.clone(), + con: connection.clone(), main: sendstream, reliables: HashMap::new(), recvstreams_s: streams_s_clone, @@ -390,8 +384,7 @@ impl Protocols { spawn_new(recvstream, None, &recvstreams_s); let rp = QuicRecvProtocol::new( QuicSink { - con: connection.connection, - bi: connection.bi_streams, + con: connection, recvstreams_r, recvstreams_s, sendstreams_s, @@ -615,7 +608,6 @@ pub struct QuicDrain { pub struct QuicSink { #[allow(dead_code)] con: quinn::Connection, - bi: quinn::IncomingBiStreams, recvstreams_r: mpsc::UnboundedReceiver, recvstreams_s: mpsc::UnboundedSender, sendstreams_s: mpsc::UnboundedSender, @@ -697,7 +689,7 @@ impl UnreliableSink for QuicSink { // first handle all bi streams! let (a, b) = select! { biased; - Some(n) = self.bi.next().fuse() => (Some(n), None), + n = self.con.accept_bi().fuse() => (Some(n), None), Some(n) = self.recvstreams_r.recv().fuse() => (None, Some(n)), }; diff --git a/server/Cargo.toml b/server/Cargo.toml index 1e46c780b4..d5cf7043a4 100644 --- a/server/Cargo.toml +++ b/server/Cargo.toml @@ -40,8 +40,8 @@ vek = { workspace = true } futures-util = { workspace = true } tokio = { workspace = true } prometheus-hyper = { workspace = true } -quinn = "0.8" -rustls = { version = "0.20", default-features = false } +quinn = "0.10" +rustls = { version = "0.21", default-features = false } rustls-pemfile = { version = "1", default-features = false } atomicwrites = "0.4" chrono = { workspace = true }