diff --git a/Cargo.lock b/Cargo.lock index e6eb3460a..c9eb80f47 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -971,7 +971,7 @@ dependencies = [ "http", "hyper", "log 0.4.20", - "rustls", + "rustls 0.21.10", "tokio", "tokio-rustls", "webpki-roots", @@ -1684,19 +1684,40 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log 0.4.20", "ring", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe6b63262c9fcac8659abfaa96cac103d28166d3ff3eaf8f412e19f3ae9e5a48" +dependencies = [ + "log 0.4.20", + "ring", + "rustls-pki-types", + "rustls-webpki 0.102.0", + "subtle", + "zeroize", +] + [[package]] name = "rustls-pemfile" -version = "1.0.4" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" dependencies = [ "base64", + "rustls-pki-types", ] +[[package]] +name = "rustls-pki-types" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -1707,6 +1728,17 @@ dependencies = [ "untrusted", ] +[[package]] +name = "rustls-webpki" +version = "0.102.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -1949,7 +1981,7 @@ dependencies = [ "hyper-rustls", "libc", "mio", - "rustls", + "rustls 0.21.10", "sozu-command-lib", "sozu-lib", "time", @@ -1976,7 +2008,7 @@ dependencies = [ "quickcheck", "rand", "regex", - "rustls", + "rustls 0.22.1", "rustls-pemfile", "rusty_ulid", "serial_test", @@ -2001,6 +2033,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "subtle" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" + [[package]] name = "syn" version = "1.0.109" @@ -2168,7 +2206,7 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.10", "tokio", ] @@ -2518,3 +2556,9 @@ dependencies = [ "thiserror", "time", ] + +[[package]] +name = "zeroize" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" diff --git a/lib/Cargo.toml b/lib/Cargo.toml index c82e12cdd..4aa94e312 100644 --- a/lib/Cargo.toml +++ b/lib/Cargo.toml @@ -43,8 +43,8 @@ nom = { version = "^7.1.3", default-features = true, features = ["std"] } poule = "^0.3.2" rand = "^0.8.5" regex = "^1.10.0" -rustls = "^0.21.10" -rustls-pemfile = "^1.0.4" +rustls = "^0.22.1" +rustls-pemfile = "^2.0.0" rusty_ulid = "^2.0.0" sha2 = "^0.10.8" slab = "^0.4.9" diff --git a/lib/src/https.rs b/lib/src/https.rs index 725f7162c..57ab9d312 100644 --- a/lib/src/https.rs +++ b/lib/src/https.rs @@ -16,11 +16,18 @@ use mio::{ Interest, Poll, Registry, Token, }; use rustls::{ - cipher_suite::{ - TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + crypto::{ + ring::{ + self, + cipher_suite::{ + TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + }, + }, + CryptoProvider, }, CipherSuite, ProtocolVersion, ServerConfig, ServerConnection, SupportedCipherSuite, }; @@ -757,9 +764,12 @@ impl HttpsListener { }) .collect::>(); - let mut server_config = ServerConfig::builder() - .with_cipher_suites(&ciphers[..]) - .with_safe_default_kx_groups() + let provider = CryptoProvider { + cipher_suites: ciphers, + ..ring::default_provider() + }; + + let mut server_config = ServerConfig::builder_with_provider(provider.into()) .with_protocol_versions(&versions[..]) .map_err(|err| ListenerError::BuildRustls(err.to_string()))? .with_no_client_auth() @@ -1650,14 +1660,12 @@ mod tests { .expect("test address 127.0.0.1:1032 should be parsed"); let resolver = Arc::new(MutexWrappedCertificateResolver::default()); - let server_config = ServerConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() - .with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13]) - .map_err(|err| ListenerError::BuildRustls(err.to_string())) - .expect("could not create Rustls server config") - .with_no_client_auth() - .with_cert_resolver(resolver.clone()); + let server_config = ServerConfig::builder_with_protocol_versions(&[ + &rustls::version::TLS12, + &rustls::version::TLS13, + ]) + .with_no_client_auth() + .with_cert_resolver(resolver.clone()); let rustls_details = Arc::new(server_config); diff --git a/lib/src/tls.rs b/lib/src/tls.rs index 57938b57a..e6055d01f 100644 --- a/lib/src/tls.rs +++ b/lib/src/tls.rs @@ -7,6 +7,7 @@ use std::{ borrow::ToOwned, collections::{HashMap, HashSet}, convert::From, + fmt::Debug, io::BufReader, str::FromStr, sync::{Arc, Mutex}, @@ -14,9 +15,10 @@ use std::{ use once_cell::sync::Lazy; use rustls::{ + crypto::ring::sign::any_supported_type, + pki_types::{CertificateDer, PrivateKeyDer}, server::{ClientHello, ResolvesServerCert}, sign::CertifiedKey, - Certificate, PrivateKey, }; use sha2::{Digest, Sha256}; use sozu_command::{ @@ -118,7 +120,7 @@ pub struct CertifiedKeyWrapper { impl CertifiedKeyWrapper { /// bytes of the pem formatted certificate, first of the chain fn pem_bytes(&self) -> &[u8] { - &self.inner.cert[0].0 + self.inner.cert[0].as_ref() } } @@ -288,11 +290,11 @@ impl CertificateResolver { let certificate_pem = sozu_command::certificate::parse_pem(certificate_and_key.certificate.as_bytes())?; - let mut chain = vec![Certificate(certificate_pem.contents)]; + let mut chain = vec![CertificateDer::from(certificate_pem.contents)]; for cert in &certificate_and_key.certificate_chain { let chain_link = parse_pem(cert.as_bytes())?.contents; - chain.push(Certificate(chain_link)); + chain.push(CertificateDer::from(chain_link)); } let mut key_reader = BufReader::new(certificate_and_key.key.as_bytes()); @@ -305,12 +307,12 @@ impl CertificateResolver { }; let private_key = match item { - rustls_pemfile::Item::RSAKey(rsa_key) => PrivateKey(rsa_key), - rustls_pemfile::Item::PKCS8Key(pkcs8_key) => PrivateKey(pkcs8_key), - rustls_pemfile::Item::ECKey(ec_key) => PrivateKey(ec_key), + rustls_pemfile::Item::Pkcs1Key(rsa_key) => PrivateKeyDer::from(rsa_key), + rustls_pemfile::Item::Pkcs8Key(pkcs8_key) => PrivateKeyDer::from(pkcs8_key), + rustls_pemfile::Item::Sec1Key(ec_key) => PrivateKeyDer::from(ec_key), _ => return Err(CertificateResolverError::EmptyKeys), }; - match rustls::sign::any_supported_type(&private_key) { + match any_supported_type(&private_key) { Ok(signing_key) => { let stored_certificate = CertifiedKeyWrapper { inner: Arc::new(CertifiedKey::new(chain, signing_key)), @@ -466,6 +468,12 @@ impl ResolvesServerCert for MutexWrappedCertificateResolver { } } +impl Debug for MutexWrappedCertificateResolver { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.write_str("MutexWrappedCertificateResolver") + } +} + // ----------------------------------------------------------------------------- // Unit tests