Upgrade rustls and quinn

According to RUSTSEC-2023-0052 we need to upgrade rustls to 0.21
to get a fix for the issue which may or may not affect Veloren
since it's about client certificates but with the absence of a
PoC it seems like a good idea to upgrade anyway, just to be sure.

webpki has gone unmaintained (which rustls 0.20 depends on),
starting with rustls 0.21 it depends on rustls-webpki which
contains a fix for the issue. Since quinn also depends on
rustls 0.20 in 0.8 and 0.9 versions, we needed to upgrade it to
0.10 so that it depends on rustls 0.21 which we now use.

Cargo.lock

@@ -2964,7 +2964,7 @@ dependencies = [
  "rustls-native-certs 0.5.0",
  "tokio",
  "tokio-rustls",
- "webpki 0.21.4",
+ "webpki",
 ]
 
 [[package]]
@@ -4856,55 +4856,50 @@ dependencies = [
 
 [[package]]
 name = "quinn"
-version = "0.8.5"
+version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b435e71d9bfa0d8889927231970c51fb89c58fa63bffcab117c9c7a41e5ef8f"
+checksum = "8cc2c5017e4b43d5995dcea317bc46c1e09404c0a9664d2908f7f02dfe943d75"
 dependencies = [
  "bytes",
- "futures-channel",
+ "pin-project-lite",
- "futures-util",
- "fxhash",
  "quinn-proto",
  "quinn-udp",
- "rustls 0.20.8",
+ "rustc-hash",
+ "rustls 0.21.6",
  "thiserror",
  "tokio",
  "tracing",
- "webpki 0.22.0",
 ]
 
 [[package]]
 name = "quinn-proto"
-version = "0.8.4"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fce546b9688f767a57530652488420d419a8b1f44a478b451c3d1ab6d992a55"
+checksum = "b83c2a964b8b68e6c9c616f09b735b436a78843704fa6979a076073e622f69dc"
 dependencies = [
  "bytes",
- "fxhash",
  "rand 0.8.5",
  "ring",
- "rustls 0.20.8",
+ "rustc-hash",
+ "rustls 0.21.6",
  "rustls-native-certs 0.6.2",
- "rustls-pemfile 0.2.1",
  "slab",
  "thiserror",
  "tinyvec",
  "tracing",
- "webpki 0.22.0",
 ]
 
 [[package]]
 name = "quinn-udp"
-version = "0.1.4"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b07946277141531aea269befd949ed16b2c85a780ba1043244eda0969e538e54"
+checksum = "055b4e778e8feb9f93c4e439f71dc2156ef13360b432b799e179a8c4cdf0b1d7"
 dependencies = [
- "futures-util",
+ "bytes",
  "libc",
- "quinn-proto",
+ "socket2 0.5.2",
- "socket2 0.4.9",
- "tokio",
  "tracing",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
@@ -5454,19 +5449,19 @@ dependencies = [
  "log",
  "ring",
  "sct 0.6.1",
- "webpki 0.21.4",
+ "webpki",
 ]
 
 [[package]]
 name = "rustls"
-version = "0.20.8"
+version = "0.21.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fff78fc74d175294f4e83b28343315ffcfb114b156f0185e9741cb5570f50e2f"
+checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb"
 dependencies = [
  "log",
  "ring",
+ "rustls-webpki",
  "sct 0.7.0",
- "webpki 0.22.0",
 ]
 
 [[package]]
@@ -5488,20 +5483,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50"
 dependencies = [
  "openssl-probe",
- "rustls-pemfile 1.0.2",
+ "rustls-pemfile",
  "schannel",
  "security-framework",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
-dependencies = [
- "base64 0.13.1",
-]
-
 [[package]]
 name = "rustls-pemfile"
 version = "1.0.2"
@@ -5511,6 +5497,16 @@ dependencies = [
  "base64 0.21.0",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.101.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "rusttype"
 version = "0.7.9"
@@ -6537,9 +6533,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.28.0"
+version = "1.28.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3c786bf8134e5a3a166db9b29ab8f48134739014a3eca7bc6bfa95d673b136f"
+checksum = "94d7b1cfd2aa4011f2de74c2c4c63665e27a71006b0a192dcd2710272e73dfa2"
 dependencies = [
  "autocfg",
  "bytes",
@@ -6572,7 +6568,7 @@ checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
 dependencies = [
  "rustls 0.19.1",
  "tokio",
- "webpki 0.21.4",
+ "webpki",
 ]
 
 [[package]]
@@ -6656,6 +6652,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8"
 dependencies = [
  "cfg-if 1.0.0",
+ "log",
  "pin-project-lite",
  "tracing-attributes",
  "tracing-core",
@@ -7233,7 +7230,7 @@ dependencies = [
  "quinn",
  "rand 0.8.5",
  "rcgen",
- "rustls 0.20.8",
+ "rustls 0.21.6",
  "serde",
  "shellexpand",
  "socket2 0.5.2",
@@ -7343,8 +7340,8 @@ dependencies = [
  "refinery",
  "ron 0.8.0",
  "rusqlite",
- "rustls 0.20.8",
+ "rustls 0.21.6",
- "rustls-pemfile 1.0.2",
+ "rustls-pemfile",
  "schnellru",
  "serde",
  "serde_json",
@@ -8136,16 +8133,6 @@ dependencies = [
  "untrusted",
 ]
 
-[[package]]
-name = "webpki"
-version = "0.22.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "wfd"
 version = "0.1.7"

client/Cargo.toml

@@ -23,7 +23,7 @@ network = { package = "veloren-network", path = "../network", features = ["compr
 
 byteorder = "1.3.2"
 tokio = { workspace = true, features = ["rt-multi-thread"] }
-quinn = "0.8"
+quinn = "0.10"
 image = { workspace = true }
 num = { workspace = true }
 tracing = { workspace = true }

network/Cargo.toml

@@ -37,8 +37,8 @@ async-channel = "1.6" #use for .close() channels
 lazy_static = { workspace = true }
 rand = { workspace = true }
 #quic support
-quinn = { version = "0.8", optional = true }
+quinn = { version = "0.10", optional = true }
-rustls = "0.20.1"
+rustls = "0.21"
 #stream flags
 bitflags = { workspace = true }
 lz-fear = { version = "0.1.1", optional = true }

network/src/channel.rs

@@ -2,8 +2,6 @@ use crate::api::{ConnectAddr, NetworkConnectError};
 use async_trait::async_trait;
 use bytes::BytesMut;
 use futures_util::FutureExt;
-#[cfg(feature = "quic")]
-use futures_util::StreamExt;
 use hashbrown::HashMap;
 use network_protocol::{
     Bandwidth, Cid, InitProtocolError, MpscMsg, MpscRecvProtocol, MpscSendProtocol, Pid,
@@ -313,15 +311,12 @@ impl Protocols {
         s2s_stop_listening_r: oneshot::Receiver<()>,
         c2s_protocol_s: mpsc::UnboundedSender<C2sProtocol>,
     ) -> io::Result<()> {
-        let (_endpoint, mut listener) = match quinn::Endpoint::server(server_config, addr) {
+        let endpoint = quinn::Endpoint::server(server_config, addr)?;
-            Ok(v) => v,
-            Err(e) => return Err(e),
-        };
         trace!(?addr, "Quic Listener bound");
         let mut end_receiver = s2s_stop_listening_r.fuse();
         tokio::spawn(async move {
             while let Some(Some(connecting)) = select! {
-                next = listener.next().fuse() => Some(next),
+                next = endpoint.accept().fuse() => Some(next),
                 _ = &mut end_receiver => None,
             } {
                 let remote_addr = anonymize_addr(&connecting.remote_address());
@@ -361,25 +356,24 @@ impl Protocols {
 
     #[cfg(feature = "quic")]
     pub(crate) async fn new_quic(
-        mut connection: quinn::NewConnection,
+        connection: quinn::Connection,
         listen: bool,
         metrics: ProtocolMetricCache,
     ) -> Result<Self, quinn::ConnectionError> {
         let (sendstream, recvstream) = if listen {
-            connection.connection.open_bi().await?
+            connection.open_bi().await?
         } else {
             connection
-                .bi_streams
+                .accept_bi()
-                .next()
                 .await
-                .ok_or(quinn::ConnectionError::LocallyClosed)??
+                .or(Err(quinn::ConnectionError::LocallyClosed))?
         };
         let (recvstreams_s, recvstreams_r) = mpsc::unbounded_channel();
         let streams_s_clone = recvstreams_s.clone();
         let (sendstreams_s, sendstreams_r) = mpsc::unbounded_channel();
         let sp = QuicSendProtocol::new(
             QuicDrain {
-                con: connection.connection.clone(),
+                con: connection.clone(),
                 main: sendstream,
                 reliables: HashMap::new(),
                 recvstreams_s: streams_s_clone,
@@ -390,8 +384,7 @@ impl Protocols {
         spawn_new(recvstream, None, &recvstreams_s);
         let rp = QuicRecvProtocol::new(
             QuicSink {
-                con: connection.connection,
+                con: connection,
-                bi: connection.bi_streams,
                 recvstreams_r,
                 recvstreams_s,
                 sendstreams_s,
@@ -615,7 +608,6 @@ pub struct QuicDrain {
 pub struct QuicSink {
     #[allow(dead_code)]
     con: quinn::Connection,
-    bi: quinn::IncomingBiStreams,
     recvstreams_r: mpsc::UnboundedReceiver<QuicStream>,
     recvstreams_s: mpsc::UnboundedSender<QuicStream>,
     sendstreams_s: mpsc::UnboundedSender<quinn::SendStream>,
@@ -697,7 +689,7 @@ impl UnreliableSink for QuicSink {
             // first handle all bi streams!
             let (a, b) = select! {
                 biased;
-                Some(n) = self.bi.next().fuse() => (Some(n), None),
+                n = self.con.accept_bi().fuse() => (Some(n), None),
                 Some(n) = self.recvstreams_r.recv().fuse() => (None, Some(n)),
             };
 

server/Cargo.toml

@@ -40,8 +40,8 @@ vek = { workspace = true }
 futures-util = { workspace = true }
 tokio = { workspace = true }
 prometheus-hyper = { workspace = true }
-quinn = "0.8"
+quinn = "0.10"
-rustls = { version = "0.20", default-features = false }
+rustls = { version = "0.21", default-features = false }
 rustls-pemfile = { version = "1", default-features = false }
 atomicwrites = "0.4"
 chrono = { workspace = true }