Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rustls: upgrade TLS stack (WORK IN PROGRESS) #2139

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -112,18 +112,18 @@ pin-project-lite = "0.2.0"
ipnet = "2.3"

# Optional deps...
rustls-pemfile = { version = "1.0", optional = true }
rustls-pemfile = { version = "2.0", optional = true }

## default-tls
hyper-tls = { version = "0.5", optional = true }
native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls" }
tokio-native-tls = { version = "0.3.0", optional = true }

# rustls-tls
hyper-rustls = { version = "0.24.0", default-features = false, optional = true }
rustls = { version = "0.21.6", features = ["dangerous_configuration"], optional = true }
tokio-rustls = { version = "0.24", optional = true }
webpki-roots = { version = "0.25", optional = true }
hyper-rustls = { version = "0.26.0", default-features = false, optional = true }
rustls = { version = "0.22.2", optional = true }
tokio-rustls = { version = "0.25", optional = true }
webpki-roots = { version = "0.26", optional = true }
rustls-native-certs = { version = "0.6", optional = true }

## cookies
Expand Down
34 changes: 10 additions & 24 deletions src/async_impl/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -464,18 +464,9 @@ impl ClientBuilder {

#[cfg(feature = "rustls-tls-webpki-roots")]
if config.tls_built_in_root_certs {
use rustls::OwnedTrustAnchor;

let trust_anchors =
webpki_roots::TLS_SERVER_ROOTS.iter().map(|trust_anchor| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
trust_anchor.subject,
trust_anchor.spki,
trust_anchor.name_constraints,
)
});

root_cert_store.add_trust_anchors(trust_anchors);
root_cert_store
.roots
.extend_from_slice(webpki_roots::TLS_SERVER_ROOTS);
}

#[cfg(feature = "rustls-tls-native-roots")]
Expand Down Expand Up @@ -530,12 +521,13 @@ impl ClientBuilder {
}

// Build TLS config
let config_builder = rustls::ClientConfig::builder()
.with_safe_default_cipher_suites()
.with_safe_default_kx_groups()
.with_protocol_versions(&versions)
.map_err(crate::error::builder)?
.with_root_certificates(root_cert_store);
let config_builder = if config.certs_verification {
rustls::ClientConfig::builder().with_root_certificates(root_cert_store)
} else {
rustls::ClientConfig::builder()
.dangerous()
.with_custom_certificate_verifier(Arc::new(NoVerifier))
};

// Finalize TLS config
let mut tls = if let Some(id) = config.identity {
Expand All @@ -544,12 +536,6 @@ impl ClientBuilder {
config_builder.with_no_client_auth()
};

// Certificate verifier
if !config.certs_verification {
tls.dangerous()
.set_certificate_verifier(Arc::new(NoVerifier));
}

tls.enable_sni = config.tls_sni;

// ALPN protocol
Expand Down
3 changes: 1 addition & 2 deletions src/connect.rs
Original file line number Diff line number Diff line change
Expand Up @@ -366,8 +366,7 @@ impl Connector {
tls_proxy,
} => {
if dst.scheme() == Some(&Scheme::HTTPS) {
use rustls::ServerName;
use std::convert::TryFrom;
use rustls::pki_types::ServerName;
use tokio_rustls::TlsConnector as RustlsConnector;

let host = dst.host().ok_or("no host in url")?.to_string();
Expand Down
67 changes: 43 additions & 24 deletions src/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,11 @@

#[cfg(feature = "__rustls")]
use rustls::{
client::HandshakeSignatureValid, client::ServerCertVerified, client::ServerCertVerifier,
DigitallySignedStruct, Error as TLSError, ServerName,
client::danger::HandshakeSignatureValid,
client::danger::ServerCertVerified,
client::danger::ServerCertVerifier,
pki_types::{ServerName, UnixTime},
DigitallySignedStruct, Error as TLSError, SignatureScheme,
};
use std::{
fmt,
Expand All @@ -71,22 +74,20 @@ enum Cert {
}

/// Represents a private key and X509 cert as a client certificate.
#[derive(Clone)]
pub struct Identity {
#[cfg_attr(not(any(feature = "native-tls", feature = "__rustls")), allow(unused))]
inner: ClientCert,
}

#[derive(Clone)]
enum ClientCert {
#[cfg(feature = "native-tls")]
Pkcs12(native_tls_crate::Identity),
#[cfg(feature = "native-tls")]
Pkcs8(native_tls_crate::Identity),
#[cfg(feature = "__rustls")]
Pem {
key: rustls::PrivateKey,
certs: Vec<rustls::Certificate>,
key: rustls::pki_types::PrivateKeyDer<'static>,
certs: Vec<rustls::pki_types::CertificateDer<'static>>,
},
}

Expand Down Expand Up @@ -181,14 +182,14 @@ impl Certificate {

match self.original {
Cert::Der(buf) => root_cert_store
.add(&rustls::Certificate(buf))
.add(rustls::pki_types::CertificateDer::from(buf))
.map_err(crate::error::builder)?,
Cert::Pem(buf) => {
let mut reader = Cursor::new(buf);
let certs = Self::read_pem_certs(&mut reader)?;
for c in certs {
root_cert_store
.add(&rustls::Certificate(c))
.add(rustls::pki_types::CertificateDer::from(c))
.map_err(crate::error::builder)?;
}
}
Expand All @@ -198,6 +199,8 @@ impl Certificate {

fn read_pem_certs(reader: &mut impl BufRead) -> crate::Result<Vec<Vec<u8>>> {
rustls_pemfile::certs(reader)
.map(|c| c.map(|c| c.to_vec()))
.collect::<Result<_, _>>()
.map_err(|_| crate::error::builder("invalid certificate encoding"))
}
}
Expand Down Expand Up @@ -308,21 +311,19 @@ impl Identity {

let (key, certs) = {
let mut pem = Cursor::new(buf);
let mut sk = Vec::<rustls::PrivateKey>::new();
let mut certs = Vec::<rustls::Certificate>::new();
let mut sk = Vec::<rustls::pki_types::PrivateKeyDer>::new();
let mut certs = Vec::<rustls::pki_types::CertificateDer>::new();

for item in std::iter::from_fn(|| rustls_pemfile::read_one(&mut pem).transpose()) {
match item.map_err(|_| {
crate::error::builder(TLSError::General(String::from(
"Invalid identity PEM file",
)))
})? {
rustls_pemfile::Item::X509Certificate(cert) => {
certs.push(rustls::Certificate(cert))
}
rustls_pemfile::Item::PKCS8Key(key) => sk.push(rustls::PrivateKey(key)),
rustls_pemfile::Item::RSAKey(key) => sk.push(rustls::PrivateKey(key)),
rustls_pemfile::Item::ECKey(key) => sk.push(rustls::PrivateKey(key)),
rustls_pemfile::Item::X509Certificate(cert) => certs.push(cert),
rustls_pemfile::Item::Pkcs1Key(key) => sk.push(key.into()),
rustls_pemfile::Item::Pkcs8Key(key) => sk.push(key.into()),
rustls_pemfile::Item::Sec1Key(key) => sk.push(key.into()),
_ => {
return Err(crate::error::builder(TLSError::General(String::from(
"No valid certificate was found",
Expand Down Expand Up @@ -365,7 +366,7 @@ impl Identity {
self,
config_builder: rustls::ConfigBuilder<
rustls::ClientConfig,
rustls::client::WantsTransparencyPolicyOrClientCert,
rustls::client::WantsClientCert,
>,
) -> crate::Result<rustls::ClientConfig> {
match self.inner {
Expand Down Expand Up @@ -491,26 +492,26 @@ impl Default for TlsBackend {
}

#[cfg(feature = "__rustls")]
#[derive(Debug)]
pub(crate) struct NoVerifier;

#[cfg(feature = "__rustls")]
impl ServerCertVerifier for NoVerifier {
fn verify_server_cert(
&self,
_end_entity: &rustls::Certificate,
_intermediates: &[rustls::Certificate],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_end_entity: &rustls::pki_types::CertificateDer<'_>,
_intermediates: &[rustls::pki_types::CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp_response: &[u8],
_now: std::time::SystemTime,
_now: UnixTime,
) -> Result<ServerCertVerified, TLSError> {
Ok(ServerCertVerified::assertion())
}

fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &rustls::Certificate,
_cert: &rustls::pki_types::CertificateDer,
_dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, TLSError> {
Ok(HandshakeSignatureValid::assertion())
Expand All @@ -519,11 +520,29 @@ impl ServerCertVerifier for NoVerifier {
fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &rustls::Certificate,
_cert: &rustls::pki_types::CertificateDer,
_dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, TLSError> {
Ok(HandshakeSignatureValid::assertion())
}

fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
vec![
SignatureScheme::ECDSA_NISTP256_SHA256,
SignatureScheme::ECDSA_NISTP384_SHA384,
SignatureScheme::ECDSA_NISTP521_SHA512,
SignatureScheme::ECDSA_SHA1_Legacy,
SignatureScheme::ED25519,
SignatureScheme::ED448,
SignatureScheme::RSA_PKCS1_SHA1,
SignatureScheme::RSA_PKCS1_SHA256,
SignatureScheme::RSA_PKCS1_SHA384,
SignatureScheme::RSA_PKCS1_SHA512,
SignatureScheme::RSA_PSS_SHA256,
SignatureScheme::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA512,
]
}
}

/// Hyper extension carrying extra TLS layer information.
Expand Down
Loading