Merge pull request #1056 from sozu-proxy/update-rustls-to-0.22

update rustls to 0.22.1

lib/Cargo.toml

@@ -43,8 +43,8 @@ nom = { version = "^7.1.3", default-features = true, features = ["std"] }
 poule = "^0.3.2"
 rand = "^0.8.5"
 regex = "^1.10.0"
-rustls = "^0.21.10"
-rustls-pemfile = "^1.0.4"
+rustls = "^0.22.1"
+rustls-pemfile = "^2.0.0"
 rusty_ulid = "^2.0.0"
 sha2 = "^0.10.8"
 slab = "^0.4.9"

lib/src/https.rs

@@ -16,11 +16,18 @@ use mio::{
     Interest, Poll, Registry, Token,
 };
 use rustls::{
-    cipher_suite::{
-        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
-        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    crypto::{
+        ring::{
+            self,
+            cipher_suite::{
+                TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
+                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+            },
+        },
+        CryptoProvider,
     },
     CipherSuite, ProtocolVersion, ServerConfig, ServerConnection, SupportedCipherSuite,
 };
@@ -757,9 +764,12 @@ impl HttpsListener {
             })
             .collect::<Vec<_>>();
 
-        let mut server_config = ServerConfig::builder()
-            .with_cipher_suites(&ciphers[..])
-            .with_safe_default_kx_groups()
+        let provider = CryptoProvider {
+            cipher_suites: ciphers,
+            ..ring::default_provider()
+        };
+
+        let mut server_config = ServerConfig::builder_with_provider(provider.into())
             .with_protocol_versions(&versions[..])
             .map_err(|err| ListenerError::BuildRustls(err.to_string()))?
             .with_no_client_auth()
@@ -1650,14 +1660,12 @@ mod tests {
             .expect("test address 127.0.0.1:1032 should be parsed");
         let resolver = Arc::new(MutexWrappedCertificateResolver::default());
 
-        let server_config = ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13])
-            .map_err(|err| ListenerError::BuildRustls(err.to_string()))
-            .expect("could not create Rustls server config")
-            .with_no_client_auth()
-            .with_cert_resolver(resolver.clone());
+        let server_config = ServerConfig::builder_with_protocol_versions(&[
+            &rustls::version::TLS12,
+            &rustls::version::TLS13,
+        ])
+        .with_no_client_auth()
+        .with_cert_resolver(resolver.clone());
 
         let rustls_details = Arc::new(server_config);
 

lib/src/tls.rs

@@ -7,16 +7,18 @@ use std::{
     borrow::ToOwned,
     collections::{HashMap, HashSet},
     convert::From,
+    fmt::Debug,
     io::BufReader,
     str::FromStr,
     sync::{Arc, Mutex},
 };
 
 use once_cell::sync::Lazy;
 use rustls::{
+    crypto::ring::sign::any_supported_type,
+    pki_types::{CertificateDer, PrivateKeyDer},
     server::{ClientHello, ResolvesServerCert},
     sign::CertifiedKey,
-    Certificate, PrivateKey,
 };
 use sha2::{Digest, Sha256};
 use sozu_command::{
@@ -118,7 +120,7 @@ pub struct CertifiedKeyWrapper {
 impl CertifiedKeyWrapper {
     /// bytes of the pem formatted certificate, first of the chain
     fn pem_bytes(&self) -> &[u8] {
-        &self.inner.cert[0].0
+        self.inner.cert[0].as_ref()
     }
 }
 
@@ -288,11 +290,11 @@ impl CertificateResolver {
         let certificate_pem =
             sozu_command::certificate::parse_pem(certificate_and_key.certificate.as_bytes())?;
 
-        let mut chain = vec![Certificate(certificate_pem.contents)];
+        let mut chain = vec![CertificateDer::from(certificate_pem.contents)];
         for cert in &certificate_and_key.certificate_chain {
             let chain_link = parse_pem(cert.as_bytes())?.contents;
 
-            chain.push(Certificate(chain_link));
+            chain.push(CertificateDer::from(chain_link));
         }
 
         let mut key_reader = BufReader::new(certificate_and_key.key.as_bytes());
@@ -305,12 +307,12 @@ impl CertificateResolver {
         };
 
         let private_key = match item {
-            rustls_pemfile::Item::RSAKey(rsa_key) => PrivateKey(rsa_key),
-            rustls_pemfile::Item::PKCS8Key(pkcs8_key) => PrivateKey(pkcs8_key),
-            rustls_pemfile::Item::ECKey(ec_key) => PrivateKey(ec_key),
+            rustls_pemfile::Item::Pkcs1Key(rsa_key) => PrivateKeyDer::from(rsa_key),
+            rustls_pemfile::Item::Pkcs8Key(pkcs8_key) => PrivateKeyDer::from(pkcs8_key),
+            rustls_pemfile::Item::Sec1Key(ec_key) => PrivateKeyDer::from(ec_key),
             _ => return Err(CertificateResolverError::EmptyKeys),
         };
-        match rustls::sign::any_supported_type(&private_key) {
+        match any_supported_type(&private_key) {
             Ok(signing_key) => {
                 let stored_certificate = CertifiedKeyWrapper {
                     inner: Arc::new(CertifiedKey::new(chain, signing_key)),
@@ -466,6 +468,12 @@ impl ResolvesServerCert for MutexWrappedCertificateResolver {
     }
 }
 
+impl Debug for MutexWrappedCertificateResolver {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str("MutexWrappedCertificateResolver")
+    }
+}
+
 // -----------------------------------------------------------------------------
 // Unit tests