warp-Update-tokio-rustls-to-v0.23.patch 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. From 3ff2eaf41eb5ac9321620e5a6434d5b5ec6f313f Mon Sep 17 00:00:00 2001
  2. From: Oliver Gould <ver@buoyant.io>
  3. Date: Wed, 29 Dec 2021 14:49:14 -0800
  4. Subject: [PATCH] Update tokio-rustls to v0.23 (#927)
  5. This change bumps the tokio-rustls version to pick up the new version of
  6. rustls.
  7. This helps to avoid duplicate dependencies when using other libraries
  8. that depend on rustls.
  9. Upstream: https://github.com/seanmonstar/warp/pull/927
  10. To account for crates.io renaming Cargo.toml -> Cargo.toml.orig, the
  11. patch has been tweaked.
  12. ---
  13. Cargo.toml.orig | 3 ++-
  14. src/tls.rs | 55 +++++++++++++++++++++++++++++-------------------------
  15. 2 files changed, 32 insertions(+), 26 deletions(-)
  16. diff --git a/Cargo.toml.orig b/Cargo.toml.orig
  17. index efbb69c..633b73e 100644
  18. --- a/Cargo.toml.orig
  19. +++ b/Cargo.toml.orig
  20. @@ -40,7 +40,8 @@ tower-service = "0.3"
  21. tokio-tungstenite = { version = "0.15", optional = true }
  22. percent-encoding = "2.1"
  23. pin-project = "1.0"
  24. -tokio-rustls = { version = "0.22", optional = true }
  25. +tokio-rustls = { version = "0.23", optional = true }
  26. +rustls-pemfile = "0.2"
  27. [dev-dependencies]
  28. pretty_env_logger = "0.4"
  29. diff --git a/src/tls.rs b/src/tls.rs
  30. index 79a342e..1f81a6b 100644
  31. --- a/src/tls.rs
  32. +++ b/src/tls.rs
  33. @@ -15,8 +15,8 @@ use hyper::server::conn::{AddrIncoming, AddrStream};
  34. use crate::transport::Transport;
  35. use tokio_rustls::rustls::{
  36. - AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth,
  37. - RootCertStore, ServerConfig, TLSError,
  38. + server::{AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, NoClientAuth},
  39. + Certificate, Error as TlsError, PrivateKey, RootCertStore, ServerConfig,
  40. };
  41. /// Represents errors that can occur building the TlsConfig
  42. @@ -32,7 +32,7 @@ pub(crate) enum TlsConfigError {
  43. /// An error from an empty key
  44. EmptyKey,
  45. /// An error from an invalid key
  46. - InvalidKey(TLSError),
  47. + InvalidKey(TlsError),
  48. }
  49. impl fmt::Display for TlsConfigError {
  50. @@ -169,8 +169,11 @@ impl TlsConfigBuilder {
  51. pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
  52. let mut cert_rdr = BufReader::new(self.cert);
  53. - let cert = tokio_rustls::rustls::internal::pemfile::certs(&mut cert_rdr)
  54. - .map_err(|()| TlsConfigError::CertParseError)?;
  55. + let cert = rustls_pemfile::certs(&mut cert_rdr)
  56. + .map_err(|_e| TlsConfigError::CertParseError)?
  57. + .into_iter()
  58. + .map(Certificate)
  59. + .collect();
  60. let key = {
  61. // convert it to Vec<u8> to allow reading it again if key is RSA
  62. @@ -183,21 +186,17 @@ impl TlsConfigBuilder {
  63. return Err(TlsConfigError::EmptyKey);
  64. }
  65. - let mut pkcs8 = tokio_rustls::rustls::internal::pemfile::pkcs8_private_keys(
  66. - &mut key_vec.as_slice(),
  67. - )
  68. - .map_err(|()| TlsConfigError::Pkcs8ParseError)?;
  69. + let mut pkcs8 = rustls_pemfile::pkcs8_private_keys(&mut key_vec.as_slice())
  70. + .map_err(|_e| TlsConfigError::Pkcs8ParseError)?;
  71. if !pkcs8.is_empty() {
  72. - pkcs8.remove(0)
  73. + PrivateKey(pkcs8.remove(0))
  74. } else {
  75. - let mut rsa = tokio_rustls::rustls::internal::pemfile::rsa_private_keys(
  76. - &mut key_vec.as_slice(),
  77. - )
  78. - .map_err(|()| TlsConfigError::RsaParseError)?;
  79. + let mut rsa = rustls_pemfile::rsa_private_keys(&mut key_vec.as_slice())
  80. + .map_err(|_e| TlsConfigError::RsaParseError)?;
  81. if !rsa.is_empty() {
  82. - rsa.remove(0)
  83. + PrivateKey(rsa.remove(0))
  84. } else {
  85. return Err(TlsConfigError::EmptyKey);
  86. }
  87. @@ -207,13 +206,18 @@ impl TlsConfigBuilder {
  88. fn read_trust_anchor(
  89. trust_anchor: Box<dyn Read + Send + Sync>,
  90. ) -> Result<RootCertStore, TlsConfigError> {
  91. - let mut reader = BufReader::new(trust_anchor);
  92. + let trust_anchors = {
  93. + let mut reader = BufReader::new(trust_anchor);
  94. + rustls_pemfile::certs(&mut reader).map_err(TlsConfigError::Io)?
  95. + };
  96. +
  97. let mut store = RootCertStore::empty();
  98. - if let Ok((0, _)) | Err(()) = store.add_pem_file(&mut reader) {
  99. - Err(TlsConfigError::CertParseError)
  100. - } else {
  101. - Ok(store)
  102. + let (added, _skipped) = store.add_parsable_certificates(&trust_anchors);
  103. + if added == 0 {
  104. + return Err(TlsConfigError::CertParseError);
  105. }
  106. +
  107. + Ok(store)
  108. }
  109. let client_auth = match self.client_auth {
  110. @@ -226,11 +230,12 @@ impl TlsConfigBuilder {
  111. }
  112. };
  113. - let mut config = ServerConfig::new(client_auth);
  114. - config
  115. - .set_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
  116. - .map_err(|err| TlsConfigError::InvalidKey(err))?;
  117. - config.set_protocols(&["h2".into(), "http/1.1".into()]);
  118. + let mut config = ServerConfig::builder()
  119. + .with_safe_defaults()
  120. + .with_client_cert_verifier(client_auth.into())
  121. + .with_single_cert_with_ocsp_and_sct(cert, key, self.ocsp_resp, Vec::new())
  122. + .map_err(TlsConfigError::InvalidKey)?;
  123. + config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
  124. Ok(config)
  125. }
  126. }
  127. --
  128. 2.30.2