update rustls to 0.22.1

lib/Cargo.toml

@@ -43,8 +43,8 @@ nom = { version = "^7.1.3", default-features = true, features = ["std"] }
 poule = "^0.3.2"
 rand = "^0.8.5"
 regex = "^1.10.0"
-rustls = "^0.21.10"
-rustls-pemfile = "^1.0.4"
+rustls = "^0.22.1"
+rustls-pemfile = "^2.0.0"
 rusty_ulid = "^2.0.0"
 sha2 = "^0.10.8"
 slab = "^0.4.9"

lib/src/https.rs

@@ -16,11 +16,18 @@ use mio::{
  Interest, Poll, Registry, Token,
 };
 use rustls::{
- cipher_suite::{
- TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ crypto::{
+ ring::{
+ self,
+ cipher_suite::{
+ TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ },
+ CryptoProvider,
  },
  CipherSuite, ProtocolVersion, ServerConfig, ServerConnection, SupportedCipherSuite,
 };
@@ -757,9 +764,12 @@ impl HttpsListener {
  })
  .collect::<Vec<_>>();
 
- let mut server_config = ServerConfig::builder()
- .with_cipher_suites(&ciphers[..])
- .with_safe_default_kx_groups()
+ let provider = CryptoProvider {
+ cipher_suites: ciphers,
+ ..ring::default_provider()
+ };
+
+ let mut server_config = ServerConfig::builder_with_provider(provider.into())
  .with_protocol_versions(&versions[..])
  .map_err(|err| ListenerError::BuildRustls(err.to_string()))?
  .with_no_client_auth()
@@ -1650,14 +1660,12 @@ mod tests {
  .expect("test address 127.0.0.1:1032 should be parsed");
  let resolver = Arc::new(MutexWrappedCertificateResolver::default());
 
- let server_config = ServerConfig::builder()
- .with_safe_default_cipher_suites()
- .with_safe_default_kx_groups()
- .with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13])
- .map_err(|err| ListenerError::BuildRustls(err.to_string()))
- .expect("could not create Rustls server config")
- .with_no_client_auth()
- .with_cert_resolver(resolver.clone());
+ let server_config = ServerConfig::builder_with_protocol_versions(&[
+ &rustls::version::TLS12,
+ &rustls::version::TLS13,
+ ])
+ .with_no_client_auth()
+ .with_cert_resolver(resolver.clone());
 
  let rustls_details = Arc::new(server_config);
 

lib/src/tls.rs

@@ -7,16 +7,18 @@ use std::{
  borrow::ToOwned,
  collections::{HashMap, HashSet},
  convert::From,
+ fmt::Debug,
  io::BufReader,
  str::FromStr,
  sync::{Arc, Mutex},
 };
 
 use once_cell::sync::Lazy;
 use rustls::{
+ crypto::ring::sign::any_supported_type,
+ pki_types::{CertificateDer, PrivateKeyDer},
  server::{ClientHello, ResolvesServerCert},
  sign::CertifiedKey,
- Certificate, PrivateKey,
 };
 use sha2::{Digest, Sha256};
 use sozu_command::{
@@ -118,7 +120,7 @@ pub struct CertifiedKeyWrapper {
 impl CertifiedKeyWrapper {
  /// bytes of the pem formatted certificate, first of the chain
  fn pem_bytes(&self) -> &[u8] {
- &self.inner.cert[0].0
+ self.inner.cert[0].as_ref()
  }
 }
 
@@ -288,11 +290,11 @@ impl CertificateResolver {
  let certificate_pem =
  sozu_command::certificate::parse_pem(certificate_and_key.certificate.as_bytes())?;
 
- let mut chain = vec![Certificate(certificate_pem.contents)];
+ let mut chain = vec![CertificateDer::from(certificate_pem.contents)];
  for cert in &certificate_and_key.certificate_chain {
  let chain_link = parse_pem(cert.as_bytes())?.contents;
 
- chain.push(Certificate(chain_link));
+ chain.push(CertificateDer::from(chain_link));
  }
 
  let mut key_reader = BufReader::new(certificate_and_key.key.as_bytes());
@@ -305,12 +307,12 @@ impl CertificateResolver {
  };
 
  let private_key = match item {
- rustls_pemfile::Item::RSAKey(rsa_key) => PrivateKey(rsa_key),
- rustls_pemfile::Item::PKCS8Key(pkcs8_key) => PrivateKey(pkcs8_key),
- rustls_pemfile::Item::ECKey(ec_key) => PrivateKey(ec_key),
+ rustls_pemfile::Item::Pkcs1Key(rsa_key) => PrivateKeyDer::from(rsa_key),
+ rustls_pemfile::Item::Pkcs8Key(pkcs8_key) => PrivateKeyDer::from(pkcs8_key),
+ rustls_pemfile::Item::Sec1Key(ec_key) => PrivateKeyDer::from(ec_key),
  _ => return Err(CertificateResolverError::EmptyKeys),
  };
- match rustls::sign::any_supported_type(&private_key) {
+ match any_supported_type(&private_key) {
  Ok(signing_key) => {
  let stored_certificate = CertifiedKeyWrapper {
  inner: Arc::new(CertifiedKey::new(chain, signing_key)),
@@ -466,6 +468,12 @@ impl ResolvesServerCert for MutexWrappedCertificateResolver {
  }
 }
 
+impl Debug for MutexWrappedCertificateResolver {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ f.write_str("MutexWrappedCertificateResolver")
+ }
+}
+
 // -----------------------------------------------------------------------------
 // Unit tests