update rustls to version 0.22

ShadowsocksR-Live · Dec 10, 2023 · 0506980 · 0506980
1 parent 74140d4
commit 0506980
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 45 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,19 +29,19 @@ reqwest = { version = "0.11", default-features = false, features = [
     "rustls-tls",
     "json",
 ] }
-rustls = { version = "0.21", features = ["dangerous_configuration"] }
-rustls-pemfile = "1.0"
+rustls = { version = "0.22" }
+rustls-pemfile = "2.0"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 socks5-impl = "0.5"
 thiserror = "1.0"
 tokio = { version = "1.35", features = ["full"] }
-tokio-rustls = "0.24"
+tokio-rustls = "0.25"
 tokio-tungstenite = { version = "0.21", features = ["rustls-tls-webpki-roots"] }
 trust-dns-proto = "0.23"
 tungstenite = { version = "0.21", features = ["rustls-tls-webpki-roots"] }
 url = "2.5"
-webpki = { package = "rustls-webpki", version = "0.101", features = [
+webpki = { package = "rustls-webpki", version = "0.102", features = [
     "alloc",
     "std",
 ] }

diff --git a/src/error.rs b/src/error.rs
@@ -36,8 +36,8 @@ pub enum Error {
     #[error("rustls::error::Error {0}")]
     Rustls(#[from] rustls::Error),
 
-    #[error("tokio_rustls::rustls::client::InvalidDnsNameError {0}")]
-    InvalidDnsName(#[from] tokio_rustls::rustls::client::InvalidDnsNameError),
+    #[error("rustls::pki_types::InvalidDnsNameError {0}")]
+    InvalidDnsName(#[from] rustls::pki_types::InvalidDnsNameError),
 
     #[error("httparse::Error {0}")]
     Httparse(#[from] httparse::Error),

diff --git a/src/server.rs b/src/server.rs
@@ -64,12 +64,11 @@ pub async fn run_server(config: &Config, exiting_flag: Option<Arc<AtomicBool>>)
         }
     });
 
-    let svr_cfg = if let (Some(certs), Some(keys)) = (certs, keys) {
-        let key = keys.get(0).ok_or("no keys")?.clone();
+    let svr_cfg = if let (Some(certs), Some(mut keys)) = (certs, keys) {
+        let _key = keys.get(0).ok_or("no keys")?;
         rustls::ServerConfig::builder()
-            .with_safe_defaults()
             .with_no_client_auth()
-            .with_single_cert(certs, key)
+            .with_single_cert(certs, keys.remove(0))
             .ok()
     } else {
         None

diff --git a/src/tls.rs b/src/tls.rs
@@ -1,4 +1,9 @@
 use crate::error::Result;
+use rustls::{
+    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    RootCertStore,
+};
 use std::{
     fs::File,
     io::BufReader,
@@ -7,53 +12,61 @@ use std::{
     sync::Arc,
 };
 use tokio::net::TcpStream;
-use tokio_rustls::{
-    client::TlsStream,
-    rustls::{self, Certificate, OwnedTrustAnchor, PrivateKey, RootCertStore},
-    TlsConnector,
-};
+use tokio_rustls::{client::TlsStream, TlsConnector};
 
 pub(crate) fn retrieve_root_cert_store_for_client(cafile: &Option<PathBuf>) -> Result<RootCertStore> {
     let mut root_cert_store = rustls::RootCertStore::empty();
     let mut done = false;
     if let Some(cafile) = cafile {
         if cafile.exists() {
             let mut pem = BufReader::new(File::open(cafile)?);
-            let certs = rustls_pemfile::certs(&mut pem)?;
-            let trust_anchors = certs.iter().map(|cert| {
-                if let Ok(ta) = webpki::TrustAnchor::try_from_cert_der(&cert[..]) {
-                    OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)
-                } else {
-                    OwnedTrustAnchor::from_subject_spki_name_constraints(vec![], vec![], Some(vec![]))
-                }
-            });
-            root_cert_store.add_trust_anchors(trust_anchors);
+            for cert in rustls_pemfile::certs(&mut pem) {
+                root_cert_store.add(cert?)?;
+            }
             done = true;
         }
     }
     if !done {
-        root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-            let name_constraints = ta.name_constraints.clone().map(|nc| nc.as_ref().to_vec());
-            OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject.as_ref(), ta.subject_public_key_info.as_ref(), name_constraints)
-        }));
+        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     }
     Ok(root_cert_store)
 }
 
 #[derive(Debug)]
 pub struct NoCertificateVerification {}
 
-impl rustls::client::ServerCertVerifier for NoCertificateVerification {
+impl ServerCertVerifier for NoCertificateVerification {
     fn verify_server_cert(
         &self,
-        _end_entity: &rustls::Certificate,
-        _intermediates: &[rustls::Certificate],
-        _server_name: &rustls::ServerName,
-        _scts: &mut dyn Iterator<Item = &[u8]>,
-        _ocsp: &[u8],
-        _now: std::time::SystemTime,
-    ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
-        Ok(rustls::client::ServerCertVerified::assertion())
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _ert: &webpki::types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _ert: &webpki::types::CertificateDer<'_>,
+        _ss: &rustls::DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![]
     }
 }
 
@@ -63,27 +76,32 @@ pub(crate) async fn create_tls_client_stream(
     domain: &str,
 ) -> Result<TlsStream<TcpStream>> {
     let mut config = rustls::ClientConfig::builder()
-        .with_safe_defaults()
         .with_root_certificates(root_cert_store)
         .with_no_client_auth();
     config.dangerous().set_certificate_verifier(Arc::new(NoCertificateVerification {}));
     let connector = TlsConnector::from(std::sync::Arc::new(config));
 
     let stream = crate::tcp_stream::create(addr).await?;
 
-    let domain = rustls::ServerName::try_from(domain)?;
+    let domain = ServerName::try_from(domain)?.to_owned();
 
     let stream = connector.connect(domain, stream).await?;
 
     Ok(stream)
 }
 
-pub(crate) fn server_load_certs(path: &Path) -> Result<Vec<Certificate>> {
-    let certs = rustls_pemfile::certs(&mut BufReader::new(File::open(path)?))?;
-    Ok(certs.into_iter().map(Certificate).collect())
+pub(crate) fn server_load_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>> {
+    let mut res = vec![];
+    for cert in rustls_pemfile::certs(&mut BufReader::new(File::open(path)?)) {
+        res.push(cert?);
+    }
+    Ok(res)
 }
 
-pub(crate) fn server_load_keys(path: &Path) -> Result<Vec<PrivateKey>> {
-    let keys = rustls_pemfile::rsa_private_keys(&mut BufReader::new(File::open(path)?))?;
-    Ok(keys.into_iter().map(PrivateKey).collect())
+pub(crate) fn server_load_keys(path: &Path) -> Result<Vec<PrivateKeyDer<'static>>> {
+    let mut res = vec![];
+    for key in rustls_pemfile::rsa_private_keys(&mut BufReader::new(File::open(path)?)) {
+        res.push(PrivateKeyDer::from(key?));
+    }
+    Ok(res)
 }