Update Rust crate hyper-rustls to 0.24.1

2023-08-26 00:36:04 +00:00
7 changed files with 699 additions and 972 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -5,28 +5,27 @@ edition = "2021"
 description = "TCP-over-HTTP solution"

 [dependencies]
-clap = { version = "4.5.4", features = ["derive", "env"] }
-log = "0.4.21"
-env_logger = "0.11.3"
-actix = "0.13.3"
-actix-web = { version = "4.5.1", features = ["rustls-0_21"] }
-actix-web-actors = "4.3.0"
-actix-tls = "3.3.0"
-serde = { version = "1.0.200", features = ["derive"] }
-tokio = { version = "1.37.0", features = ["full"] }
-futures = "0.3.30"
-webpki = "0.22.4"
-x509-parser = "0.16.0"
-pem = "3.0.4"
-reqwest = { version = "0.12.4", features = ["json", "rustls-tls"], default-features = false }
-tokio-tungstenite = { version = "0.20.0", features = ["__rustls-tls", "rustls-tls-native-roots"] }
+clap = { version = "4.3.23", features = ["derive", "env"] }
+log = "0.4.20"
+env_logger = "0.10.0"
+actix = "0.13.0"
+actix-web = { version = "4", features = ["rustls"] }
+actix-web-actors = "4.2.0"
+actix-tls = "3.0.3"
+serde = { version = "1.0.185", features = ["derive"] }
+tokio = { version = "1", features = ["full"] }
+futures = "0.3.25"
+webpki = "0.22.0"
+x509-parser = "0.15.1"
+pem = "3.0.2"
+reqwest = { version = "0.11", features = ["json", "rustls-tls"], default-features = false }
+tokio-tungstenite = { version = "0.18.0", features = ["__rustls-tls", "rustls-tls-native-roots"] }
 urlencoding = "2.1.3"
-hyper-rustls = { version = "0.23.2", features = ["rustls-native-certs"] }
-bytes = "1.6.0"
-rustls-pemfile = "2.0.0"
-rustls = { version = "0.21.0", features = ["dangerous_configuration"] }
-rustls-native-certs = "0.6.3"
+hyper-rustls = { version = "0.24.1", features = ["rustls-native-certs"] }
+bytes = "1.4.0"
+rustls-pemfile = "1.0.3"
+rustls = { version = "0.20.7", features = ["dangerous_configuration"] }

 [dev-dependencies]
 rand = "0.8.5"
-mktemp = "0.5.1"
+mktemp = "0.5.0"
--- a/renovate.json
+++ b/renovate.json
@ -2,7 +2,7 @@
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    {
-      "matchUpdateTypes": ["major", "minor", "patch"],
+      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    }
  ]
--- a/src/base/cert_utils.rs
+++ b/src/base/cert_utils.rs
@ -2,15 +2,16 @@ use std::error::Error;
 use std::io::{Cursor, ErrorKind};

 use rustls::{Certificate, PrivateKey};
-use rustls_pemfile::Item;
+use rustls_pemfile::{read_one, Item};

 /// Parse PEM certificates bytes into a [`rustls::Certificate`] structure
 ///
 /// An error is returned if not any certificate could be found
 pub fn parse_pem_certificates(certs: &[u8]) -> Result<Vec<Certificate>, Box<dyn Error>> {
-    let certs = rustls_pemfile::certs(&mut Cursor::new(certs))
-        .map(|c| c.map(|c| Certificate(c.to_vec())))
-        .collect::<Result<Vec<_>, _>>()?;
+    let certs = rustls_pemfile::certs(&mut Cursor::new(certs))?
+        .into_iter()
+        .map(Certificate)
+        .collect::<Vec<_>>();

    if certs.is_empty() {
        Err(std::io::Error::new(
@ -25,7 +26,7 @@ pub fn parse_pem_certificates(certs: &[u8]) -> Result<Vec<Certificate>, Box<dyn

 /// Parse PEM private key bytes into a [`rustls::PrivateKey`] structure
 pub fn parse_pem_private_key(privkey: &[u8]) -> Result<PrivateKey, Box<dyn Error>> {
-    let key = match rustls_pemfile::read_one(&mut Cursor::new(privkey))? {
+    let key = match read_one(&mut Cursor::new(privkey))? {
        None => {
            Err(std::io::Error::new(
                ErrorKind::Other,
@ -33,8 +34,8 @@ pub fn parse_pem_private_key(privkey: &[u8]) -> Result<PrivateKey, Box<dyn Error
            ))?;
            unreachable!()
        }
-        Some(Item::Pkcs8Key(key)) => key.secret_pkcs8_der().to_vec(),
-        Some(Item::Pkcs1Key(key)) => key.secret_pkcs1_der().to_vec(),
+        Some(Item::PKCS8Key(key)) => key,
+        Some(Item::RSAKey(key)) => key,
        _ => {
            Err(std::io::Error::new(
                ErrorKind::Other,
--- a/src/tcp_relay_client/relay_client.rs
+++ b/src/tcp_relay_client/relay_client.rs
@ -1,6 +1,7 @@
 use std::sync::Arc;

 use futures::{SinkExt, StreamExt};
+use hyper_rustls::ConfigBuilderExt;
 use rustls::RootCertStore;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
@ -41,17 +42,7 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
        let config = rustls::ClientConfig::builder().with_safe_defaults();

        let config = match conf.get_root_certificate() {
-            None => {
-                // Perform a connection over TLS
-                let mut roots = RootCertStore::empty();
-                for cert in rustls_native_certs::load_native_certs()
-                    .expect("Failed to load native certificates")
-                {
-                    roots.add(&rustls::Certificate(cert.0)).unwrap();
-                }
-
-                config.with_root_certificates(roots)
-            }
+            None => config.with_native_roots(),
            Some(cert) => {
                log::debug!("Using custom root certificates");
                let mut store = RootCertStore::empty();
@ -74,14 +65,14 @@ async fn relay_connection(ws_url: String, socket: TcpStream, conf: Arc<ClientCon
                    .expect("Failed to parse client auth private key!");

                config
-                    .with_client_auth_cert(certs, key)
+                    .with_single_cert(certs, key)
                    .expect("Failed to set client certificate!")
            }
        };
        let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));

        let (ws_stream, _) =
-            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, false, Some(connector))
+            tokio_tungstenite::connect_async_tls_with_config(ws_url, None, Some(connector))
                .await
                .expect("Failed to connect to server relay!");

--- a/src/tcp_relay_server/mod.rs
+++ b/src/tcp_relay_server/mod.rs
@ -121,7 +121,7 @@ pub async fn run_app(mut config: ServerConfig) -> std::io::Result<()> {
    });

    if let Some(tls_conf) = tls_config {
-        server.bind_rustls_021(&args.listen_address, tls_conf)?
+        server.bind_rustls(&args.listen_address, tls_conf)?
    } else {
        server.bind(&args.listen_address)?
    }
--- a/src/tcp_relay_server/tls_cert_client_verifier.rs
+++ b/src/tcp_relay_server/tls_cert_client_verifier.rs
@ -1,8 +1,9 @@
 use std::sync::Arc;
 use std::time::SystemTime;

+use rustls::internal::msgs::enums::AlertDescription;
 use rustls::server::{AllowAnyAuthenticatedClient, ClientCertVerified, ClientCertVerifier};
-use rustls::{AlertDescription, Certificate, DistinguishedName, Error, RootCertStore};
+use rustls::{Certificate, DistinguishedNames, Error, RootCertStore};
 use x509_parser::prelude::{CertificateRevocationList, FromDer, X509Certificate};

 use crate::base::cert_utils::parse_pem_certificates;
@ -60,7 +61,7 @@ impl CustomCertClientVerifier {
        };

        Ok(Self {
-            upstream_cert_verifier: Box::new(Arc::new(AllowAnyAuthenticatedClient::new(store))),
+            upstream_cert_verifier: Box::new(AllowAnyAuthenticatedClient::new(store)),
            crl,
        })
    }
@ -71,12 +72,12 @@ impl ClientCertVerifier for CustomCertClientVerifier {
        true
    }

-    fn client_auth_mandatory(&self) -> bool {
-        true
+    fn client_auth_mandatory(&self) -> Option<bool> {
+        Some(true)
    }

-    fn client_auth_root_subjects(&self) -> &[DistinguishedName] {
-        &[]
+    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
+        Some(vec![])
    }

    fn verify_client_cert(