From e534deefae06acd8793e112299c0151172a6a7ef Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Wed, 17 Jan 2024 19:52:28 +0100
Subject: [PATCH] Managed to update rustls to version 0.21

---
 Cargo.lock                                    | 52 +++++++------------
 Cargo.toml                                    |  7 +--
 src/tcp_relay_client/relay_client.rs          | 15 ++++--
 src/tcp_relay_server/mod.rs                   |  2 +-
 .../tls_cert_client_verifier.rs               | 13 +++--
 5 files changed, 41 insertions(+), 48 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2faca6c..695d6e8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -56,7 +56,7 @@ dependencies = [
  "actix-tls",
  "actix-utils",
  "ahash",
- "base64 0.21.7",
+ "base64",
  "bitflags 2.4.2",
  "brotli",
  "bytes",
@@ -158,10 +158,10 @@ dependencies = [
  "impl-more",
  "pin-project-lite",
  "tokio",
- "tokio-rustls 0.23.4",
+ "tokio-rustls 0.24.1",
  "tokio-util",
  "tracing",
- "webpki-roots 0.22.6",
+ "webpki-roots",
 ]
 
 [[package]]
@@ -416,12 +416,6 @@ dependencies = [
  "rustc-demangle",
 ]
 
-[[package]]
-name = "base64"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
-
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -1294,7 +1288,7 @@ version = "3.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310"
 dependencies = [
- "base64 0.21.7",
+ "base64",
  "serde",
 ]
 
@@ -1426,7 +1420,7 @@ version = "0.11.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37b1ae8d9ac08420c66222fb9096fc5de435c3c48542bc5336c51892cffafb41"
 dependencies = [
- "base64 0.21.7",
+ "base64",
  "bytes",
  "encoding_rs",
  "futures-core",
@@ -1456,7 +1450,7 @@ dependencies = [
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
- "webpki-roots 0.25.3",
+ "webpki-roots",
  "winreg",
 ]
 
@@ -1568,7 +1562,7 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
 dependencies = [
- "base64 0.21.7",
+ "base64",
 ]
 
 [[package]]
@@ -1577,7 +1571,7 @@ version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4"
 dependencies = [
- "base64 0.21.7",
+ "base64",
  "rustls-pki-types",
 ]
 
@@ -1836,7 +1830,8 @@ dependencies = [
  "pem",
  "rand",
  "reqwest",
- "rustls 0.20.9",
+ "rustls 0.21.10",
+ "rustls-native-certs",
  "rustls-pemfile 2.0.0",
  "serde",
  "tokio",
@@ -1972,18 +1967,17 @@ dependencies = [
 
 [[package]]
 name = "tokio-tungstenite"
-version = "0.18.0"
+version = "0.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54319c93411147bced34cb5609a80e0a8e44c5999c93903a81cd866630ec0bfd"
+checksum = "212d5dcb2a1ce06d81107c3d0ffa3121fe974b73f068c8282cb1c32328113b6c"
 dependencies = [
  "futures-util",
  "log",
- "rustls 0.20.9",
+ "rustls 0.21.10",
  "rustls-native-certs",
  "tokio",
- "tokio-rustls 0.23.4",
+ "tokio-rustls 0.24.1",
  "tungstenite",
- "webpki",
 ]
 
 [[package]]
@@ -2034,23 +2028,22 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
 [[package]]
 name = "tungstenite"
-version = "0.18.0"
+version = "0.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30ee6ab729cd4cf0fd55218530c4522ed30b7b6081752839b68fcec8d0960788"
+checksum = "9e3dac10fd62eaf6617d3a904ae222845979aec67c615d1c842b4002c7666fb9"
 dependencies = [
- "base64 0.13.1",
  "byteorder",
  "bytes",
+ "data-encoding",
  "http",
  "httparse",
  "log",
  "rand",
- "rustls 0.20.9",
+ "rustls 0.21.10",
  "sha1",
  "thiserror",
  "url",
  "utf-8",
- "webpki",
 ]
 
 [[package]]
@@ -2243,15 +2236,6 @@ dependencies = [
  "untrusted 0.9.0",
 ]
 
-[[package]]
-name = "webpki-roots"
-version = "0.22.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87"
-dependencies = [
- "webpki",
-]
-
 [[package]]
 name = "webpki-roots"
 version = "0.25.3"
diff --git a/Cargo.toml b/Cargo.toml
index 1b30419..fe2d97f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -9,7 +9,7 @@ clap = { version = "4.4.18", features = ["derive", "env"] }
 log = "0.4.20"
 env_logger = "0.10.1"
 actix = "0.13.1"
-actix-web = { version = "4", features = ["rustls"] }
+actix-web = { version = "4", features = ["rustls-0_21"] }
 actix-web-actors = "4.2.0"
 actix-tls = "3.1.1"
 serde = { version = "1.0.195", features = ["derive"] }
@@ -19,12 +19,13 @@ webpki = "0.22.4"
 x509-parser = "0.15.1"
 pem = "3.0.3"
 reqwest = { version = "0.11.23", features = ["json", "rustls-tls"], default-features = false }
-tokio-tungstenite = { version = "0.18.0", features = ["__rustls-tls", "rustls-tls-native-roots"] }
+tokio-tungstenite = { version = "0.20.0", features = ["__rustls-tls", "rustls-tls-native-roots"] }
 urlencoding = "2.1.3"
 hyper-rustls = { version = "0.23.2", features = ["rustls-native-certs"] }
 bytes = "1.5.0"
 rustls-pemfile = "2.0.0"
-rustls = { version = "0.20.7", features = ["dangerous_configuration"] }
+rustls = { version = "0.21.0", features = ["dangerous_configuration"] }
+rustls-native-certs = "0.6.3"
 
 [dev-dependencies]
 rand = "0.8.5"
diff --git a/src/tcp_relay_client/relay_client.rs b/src/tcp_relay_client/relay_client.rs
index eb44be1..1ae26e7 100644
--- a/src/tcp_relay_client/relay_client.rs
+++ b/src/tcp_relay_client/relay_client.rs
@@ -1,7 +1,6 @@
 use std::sync::Arc;
 
 use futures::{SinkExt, StreamExt};
-use hyper_rustls::ConfigBuilderExt;
 use rustls::RootCertStore;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
@@ -42,7 +41,17 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
         let config = rustls::ClientConfig::builder().with_safe_defaults();
 
         let config = match conf.get_root_certificate() {
-            None => config.with_native_roots(),
+            None => {
+                // Perform a connection over TLS
+                let mut roots = RootCertStore::empty();
+                for cert in rustls_native_certs::load_native_certs()
+                    .expect("Failed to load native certificates")
+                {
+                    roots.add(&rustls::Certificate(cert.0)).unwrap();
+                }
+
+                config.with_root_certificates(roots)
+            }
             Some(cert) => {
                 log::debug!("Using custom root certificates");
                 let mut store = RootCertStore::empty();
@@ -72,7 +81,7 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
         let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
 
         let (ws_stream, _) =
-            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, Some(connector))
+            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, false, Some(connector))
                 .await
                 .expect("Failed to connect to server relay!");
 
diff --git a/src/tcp_relay_server/mod.rs b/src/tcp_relay_server/mod.rs
index 7df9054..5191a62 100644
--- a/src/tcp_relay_server/mod.rs
+++ b/src/tcp_relay_server/mod.rs
@@ -121,7 +121,7 @@ pub async fn run_app(mut config: ServerConfig) -> std::io::Result<()> {
     });
 
     if let Some(tls_conf) = tls_config {
-        server.bind_rustls(&args.listen_address, tls_conf)?
+        server.bind_rustls_021(&args.listen_address, tls_conf)?
     } else {
         server.bind(&args.listen_address)?
     }
diff --git a/src/tcp_relay_server/tls_cert_client_verifier.rs b/src/tcp_relay_server/tls_cert_client_verifier.rs
index 88ce931..010486a 100644
--- a/src/tcp_relay_server/tls_cert_client_verifier.rs
+++ b/src/tcp_relay_server/tls_cert_client_verifier.rs
@@ -1,9 +1,8 @@
 use std::sync::Arc;
 use std::time::SystemTime;
 
-use rustls::internal::msgs::enums::AlertDescription;
 use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier};
-use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
+use rustls::{AlertDescription, Certificate, DistinguishedName, Error, RootCertStore};
 use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate};
 
 use crate::base::cert_utils::parse_pem_certificates;
@@ -61,7 +60,7 @@ impl CustomCertClientVerifier {
         };
 
         Ok(Self {
-            upstream_cert_verifier: Box::new(AllowAnyAuthenticatedClient::new(store)),
+            upstream_cert_verifier: Box::new(Arc::new(AllowAnyAuthenticatedClient::new(store))),
             crl,
         })
     }
@@ -72,12 +71,12 @@ impl ClientCertVerifier for CustomCertClientVerifier {
         true
     }
 
-    fn client_auth_mandatory(&self) -> Option<bool> {
-        Some(true)
+    fn client_auth_mandatory(&self) -> bool {
+        true
     }
 
-    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
-        Some(vec![])
+    fn client_auth_root_subjects(&self) -> &[DistinguishedName] {
+        &[]
     }
 
     fn verify_client_cert(