From 23d81715d0e19b09ef035b46d441cbc59f96382d Mon Sep 17 00:00:00 2001
From: Emmanuel Bosquet <bjokac@gmail.com>
Date: Thu, 14 Dec 2023 15:51:55 +0100
Subject: [PATCH] update rustls to 0.22.1

---
 Cargo.lock       | 58 ++++++++++++++++++++++++++++++++++++++++++------
 lib/Cargo.toml   |  4 ++--
 lib/src/https.rs | 40 ++++++++++++++++++++-------------
 lib/src/tls.rs   | 24 +++++++++++++-------
 4 files changed, 93 insertions(+), 33 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index e6eb3460a..c9eb80f47 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -971,7 +971,7 @@ dependencies = [
  "http",
  "hyper",
  "log 0.4.20",
- "rustls",
+ "rustls 0.21.10",
  "tokio",
  "tokio-rustls",
  "webpki-roots",
@@ -1684,19 +1684,40 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
  "log 0.4.20",
  "ring",
- "rustls-webpki",
+ "rustls-webpki 0.101.7",
  "sct",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe6b63262c9fcac8659abfaa96cac103d28166d3ff3eaf8f412e19f3ae9e5a48"
+dependencies = [
+ "log 0.4.20",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.0",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls-pemfile"
-version = "1.0.4"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
+checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4"
 dependencies = [
  "base64",
+ "rustls-pki-types",
 ]
 
+[[package]]
+name = "rustls-pki-types"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@@ -1707,6 +1728,17 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.102.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.14"
@@ -1949,7 +1981,7 @@ dependencies = [
  "hyper-rustls",
  "libc",
  "mio",
- "rustls",
+ "rustls 0.21.10",
  "sozu-command-lib",
  "sozu-lib",
  "time",
@@ -1976,7 +2008,7 @@ dependencies = [
  "quickcheck",
  "rand",
  "regex",
- "rustls",
+ "rustls 0.22.1",
  "rustls-pemfile",
  "rusty_ulid",
  "serial_test",
@@ -2001,6 +2033,12 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
+[[package]]
+name = "subtle"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+
 [[package]]
 name = "syn"
 version = "1.0.109"
@@ -2168,7 +2206,7 @@ version = "0.24.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
 dependencies = [
- "rustls",
+ "rustls 0.21.10",
  "tokio",
 ]
 
@@ -2518,3 +2556,9 @@ dependencies = [
  "thiserror",
  "time",
 ]
+
+[[package]]
+name = "zeroize"
+version = "1.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
index c82e12cdd..4aa94e312 100644
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@@ -43,8 +43,8 @@ nom = { version = "^7.1.3", default-features = true, features = ["std"] }
 poule = "^0.3.2"
 rand = "^0.8.5"
 regex = "^1.10.0"
-rustls = "^0.21.10"
-rustls-pemfile = "^1.0.4"
+rustls = "^0.22.1"
+rustls-pemfile = "^2.0.0"
 rusty_ulid = "^2.0.0"
 sha2 = "^0.10.8"
 slab = "^0.4.9"
diff --git a/lib/src/https.rs b/lib/src/https.rs
index 725f7162c..57ab9d312 100644
--- a/lib/src/https.rs
+++ b/lib/src/https.rs
@@ -16,11 +16,18 @@ use mio::{
     Interest, Poll, Registry, Token,
 };
 use rustls::{
-    cipher_suite::{
-        TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
-        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    crypto::{
+        ring::{
+            self,
+            cipher_suite::{
+                TLS13_AES_128_GCM_SHA256, TLS13_AES_256_GCM_SHA384, TLS13_CHACHA20_POLY1305_SHA256,
+                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+            },
+        },
+        CryptoProvider,
     },
     CipherSuite, ProtocolVersion, ServerConfig, ServerConnection, SupportedCipherSuite,
 };
@@ -757,9 +764,12 @@ impl HttpsListener {
             })
             .collect::<Vec<_>>();
 
-        let mut server_config = ServerConfig::builder()
-            .with_cipher_suites(&ciphers[..])
-            .with_safe_default_kx_groups()
+        let provider = CryptoProvider {
+            cipher_suites: ciphers,
+            ..ring::default_provider()
+        };
+
+        let mut server_config = ServerConfig::builder_with_provider(provider.into())
             .with_protocol_versions(&versions[..])
             .map_err(|err| ListenerError::BuildRustls(err.to_string()))?
             .with_no_client_auth()
@@ -1650,14 +1660,12 @@ mod tests {
             .expect("test address 127.0.0.1:1032 should be parsed");
         let resolver = Arc::new(MutexWrappedCertificateResolver::default());
 
-        let server_config = ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13])
-            .map_err(|err| ListenerError::BuildRustls(err.to_string()))
-            .expect("could not create Rustls server config")
-            .with_no_client_auth()
-            .with_cert_resolver(resolver.clone());
+        let server_config = ServerConfig::builder_with_protocol_versions(&[
+            &rustls::version::TLS12,
+            &rustls::version::TLS13,
+        ])
+        .with_no_client_auth()
+        .with_cert_resolver(resolver.clone());
 
         let rustls_details = Arc::new(server_config);
 
diff --git a/lib/src/tls.rs b/lib/src/tls.rs
index 57938b57a..e6055d01f 100644
--- a/lib/src/tls.rs
+++ b/lib/src/tls.rs
@@ -7,6 +7,7 @@ use std::{
     borrow::ToOwned,
     collections::{HashMap, HashSet},
     convert::From,
+    fmt::Debug,
     io::BufReader,
     str::FromStr,
     sync::{Arc, Mutex},
@@ -14,9 +15,10 @@ use std::{
 
 use once_cell::sync::Lazy;
 use rustls::{
+    crypto::ring::sign::any_supported_type,
+    pki_types::{CertificateDer, PrivateKeyDer},
     server::{ClientHello, ResolvesServerCert},
     sign::CertifiedKey,
-    Certificate, PrivateKey,
 };
 use sha2::{Digest, Sha256};
 use sozu_command::{
@@ -118,7 +120,7 @@ pub struct CertifiedKeyWrapper {
 impl CertifiedKeyWrapper {
     /// bytes of the pem formatted certificate, first of the chain
     fn pem_bytes(&self) -> &[u8] {
-        &self.inner.cert[0].0
+        self.inner.cert[0].as_ref()
     }
 }
 
@@ -288,11 +290,11 @@ impl CertificateResolver {
         let certificate_pem =
             sozu_command::certificate::parse_pem(certificate_and_key.certificate.as_bytes())?;
 
-        let mut chain = vec![Certificate(certificate_pem.contents)];
+        let mut chain = vec![CertificateDer::from(certificate_pem.contents)];
         for cert in &certificate_and_key.certificate_chain {
             let chain_link = parse_pem(cert.as_bytes())?.contents;
 
-            chain.push(Certificate(chain_link));
+            chain.push(CertificateDer::from(chain_link));
         }
 
         let mut key_reader = BufReader::new(certificate_and_key.key.as_bytes());
@@ -305,12 +307,12 @@ impl CertificateResolver {
         };
 
         let private_key = match item {
-            rustls_pemfile::Item::RSAKey(rsa_key) => PrivateKey(rsa_key),
-            rustls_pemfile::Item::PKCS8Key(pkcs8_key) => PrivateKey(pkcs8_key),
-            rustls_pemfile::Item::ECKey(ec_key) => PrivateKey(ec_key),
+            rustls_pemfile::Item::Pkcs1Key(rsa_key) => PrivateKeyDer::from(rsa_key),
+            rustls_pemfile::Item::Pkcs8Key(pkcs8_key) => PrivateKeyDer::from(pkcs8_key),
+            rustls_pemfile::Item::Sec1Key(ec_key) => PrivateKeyDer::from(ec_key),
             _ => return Err(CertificateResolverError::EmptyKeys),
         };
-        match rustls::sign::any_supported_type(&private_key) {
+        match any_supported_type(&private_key) {
             Ok(signing_key) => {
                 let stored_certificate = CertifiedKeyWrapper {
                     inner: Arc::new(CertifiedKey::new(chain, signing_key)),
@@ -466,6 +468,12 @@ impl ResolvesServerCert for MutexWrappedCertificateResolver {
     }
 }
 
+impl Debug for MutexWrappedCertificateResolver {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str("MutexWrappedCertificateResolver")
+    }
+}
+
 // -----------------------------------------------------------------------------
 // Unit tests