From d9deda2e9596fa36aa6b23c2661126211122ebba Mon Sep 17 00:00:00 2001 From: JLer Date: Wed, 5 Jun 2024 13:48:08 +0800 Subject: [PATCH] bump quinn & rustls --- Cargo.lock | 369 +++++++++++++----- Cargo.toml | 6 +- io/zenoh-link-commons/Cargo.toml | 2 +- io/zenoh-links/zenoh-link-quic/Cargo.toml | 10 +- io/zenoh-links/zenoh-link-quic/src/lib.rs | 1 - io/zenoh-links/zenoh-link-quic/src/unicast.rs | 35 +- io/zenoh-links/zenoh-link-quic/src/utils.rs | 148 +++---- io/zenoh-links/zenoh-link-quic/src/verify.rs | 42 -- io/zenoh-links/zenoh-link-tls/src/utils.rs | 10 + 9 files changed, 366 insertions(+), 257 deletions(-) delete mode 100644 io/zenoh-links/zenoh-link-quic/src/verify.rs diff --git a/Cargo.lock b/Cargo.lock index 36078d0238..544b87f0d6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -451,6 +451,33 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +[[package]] +name = "aws-lc-rs" +version = "1.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "474d7cec9d0a1126fad1b224b767fcbf351c23b0309bb21ec210bcfd379926a5" +dependencies = [ + "aws-lc-sys", + "mirai-annotations", + "paste", + "zeroize", +] + +[[package]] +name = "aws-lc-sys" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7505fc3cb7acbf42699a43a79dd9caa4ed9e99861dfbb837c5c0fb5a0a8d2980" +dependencies = [ + "bindgen", + "cc", + "cmake", + "dunce", + "fs_extra", + "libc", + "paste", +] + [[package]] name = "backtrace" version = "0.3.69" @@ -505,6 +532,29 @@ dependencies = [ "serde", ] +[[package]] +name = "bindgen" +version = "0.69.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" +dependencies = [ + "bitflags 2.5.0", + "cexpr", + "clang-sys", + "itertools", + "lazy_static", + "lazycell", + "log", + "prettyplease", + "proc-macro2", + "quote", + "regex", + "rustc-hash", + "shlex", + "syn 2.0.33", + "which", +] + [[package]] name = "bit-set" version = "0.5.3" @@ -528,9 +578,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" dependencies = [ "serde", ] @@ -625,9 +675,25 @@ version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" dependencies = [ + "jobserver", "libc", ] +[[package]] +name = "cesu8" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" + +[[package]] +name = "cexpr" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766" +dependencies = [ + "nom", +] + [[package]] name = "cfg-if" version = "0.1.10" @@ -701,6 +767,17 @@ dependencies = [ "inout", ] +[[package]] +name = "clang-sys" +version = "1.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" +dependencies = [ + "glob", + "libc", + "libloading", +] + [[package]] name = "clap" version = "4.4.11" @@ -741,6 +818,15 @@ version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1" +[[package]] +name = "cmake" +version = "0.1.50" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a31c789563b815f77f4250caee12365734369f942439b7defd71e18a48197130" +dependencies = [ + "cc", +] + [[package]] name = "cobs" version = "0.2.3" @@ -753,6 +839,16 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" +[[package]] +name = "combine" +version = "4.6.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd" +dependencies = [ + "bytes", + "memchr", +] + [[package]] name = "concurrent-queue" version = "2.2.0" @@ -825,9 +921,9 @@ dependencies = [ [[package]] name = "core-foundation" -version = "0.9.3" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" dependencies = [ "core-foundation-sys", "libc", @@ -835,9 +931,9 @@ dependencies = [ [[package]] name = "core-foundation-sys" -version = "0.8.4" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa" +checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f" [[package]] name = "cpufeatures" @@ -1082,6 +1178,12 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0" +[[package]] +name = "dunce" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56ce8c6da7551ec6c462cbaf3bfbc75131ebbfa1c944aeaa9dab51ca1c5f0c3b" + [[package]] name = "dyn-clone" version = "1.0.13" @@ -1275,6 +1377,12 @@ dependencies = [ "num", ] +[[package]] +name = "fs_extra" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" + [[package]] name = "futures" version = "0.3.28" @@ -1451,6 +1559,12 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "glob" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + [[package]] name = "gloo-timers" version = "0.2.6" @@ -1817,6 +1931,35 @@ version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" +[[package]] +name = "jni" +version = "0.19.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec" +dependencies = [ + "cesu8", + "combine", + "jni-sys", + "log", + "thiserror", + "walkdir", +] + +[[package]] +name = "jni-sys" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" + +[[package]] +name = "jobserver" +version = "0.1.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2b099aaa34a9751c5bf0878add70444e1ed2dd73f347be99003d4577277de6e" +dependencies = [ + "libc", +] + [[package]] name = "js-sys" version = "0.3.64" @@ -1901,6 +2044,12 @@ dependencies = [ "spin 0.5.2", ] +[[package]] +name = "lazycell" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" + [[package]] name = "libc" version = "0.2.153" @@ -2080,6 +2229,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "mirai-annotations" +version = "1.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1" + [[package]] name = "nanorand" version = "0.7.0" @@ -2139,7 +2294,7 @@ version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.5.0", "cfg-if 1.0.0", "libc", "memoffset 0.9.0", @@ -2292,9 +2447,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.18.0" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "oorandom" @@ -2314,7 +2469,7 @@ version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.5.0", "cfg-if 1.0.0", "foreign-types", "libc", @@ -2646,6 +2801,16 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "prettyplease" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae005bd773ab59b4725093fd7df83fd7892f7d8eafb48dbd7de6e024e4215f9d" +dependencies = [ + "proc-macro2", + "syn 2.0.33", +] + [[package]] name = "proc-macro-hack" version = "0.5.20+deprecated" @@ -2695,16 +2860,16 @@ dependencies = [ [[package]] name = "quinn" -version = "0.10.2" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cc2c5017e4b43d5995dcea317bc46c1e09404c0a9664d2908f7f02dfe943d75" +checksum = "904e3d3ba178131798c6d9375db2b13b34337d489b089fc5ba0825a2ff1bee73" dependencies = [ "bytes", "pin-project-lite 0.2.13", "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.21.7", + "rustls", "thiserror", "tokio", "tracing", @@ -2712,16 +2877,16 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.10.4" +version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e13f81c9a9d574310b8351f8666f5a93ac3b0069c45c28ad52c10291389a7cf9" +checksum = "e974563a4b1c2206bbc61191ca4da9c22e4308b4c455e8906751cc7828393f08" dependencies = [ "bytes", "rand 0.8.5", - "ring 0.16.20", + "ring 0.17.6", "rustc-hash", - "rustls 0.21.7", - "rustls-native-certs 0.6.3", + "rustls", + "rustls-platform-verifier", "slab", "thiserror", "tinyvec", @@ -2730,15 +2895,15 @@ dependencies = [ [[package]] name = "quinn-udp" -version = "0.4.1" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "055b4e778e8feb9f93c4e439f71dc2156ef13360b432b799e179a8c4cdf0b1d7" +checksum = "e4f0def2590301f4f667db5a77f9694fb004f82796dc1a8b1508fafa3d0e8b72" dependencies = [ - "bytes", "libc", + "once_cell", "socket2 0.5.6", "tracing", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -3014,7 +3179,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b91f7eff05f748767f183df4320a63d6936e9c6107d97c9e6bdd9784f4289c94" dependencies = [ "base64 0.21.4", - "bitflags 2.4.2", + "bitflags 2.5.0", "serde", "serde_derive", ] @@ -3097,7 +3262,7 @@ version = "0.38.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "65e04861e65f21776e67888bfbea442b3642beaa0138fdb1dd7a84a52dffdb89" dependencies = [ - "bitflags 2.4.2", + "bitflags 2.5.0", "errno 0.3.8", "libc", "linux-raw-sys 0.4.13", @@ -3106,42 +3271,20 @@ dependencies = [ [[package]] name = "rustls" -version = "0.21.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd8d6c9f025a446bc4d18ad9632e69aec8f287aa84499ee335599fabd20c3fd8" -dependencies = [ - "log", - "ring 0.16.20", - "rustls-webpki 0.101.5", - "sct", -] - -[[package]] -name = "rustls" -version = "0.22.4" +version = "0.23.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432" +checksum = "a218f0f6d05669de4eabfb24f31ce802035c952429d037507b4a4a39f0e60c5b" dependencies = [ + "aws-lc-rs", "log", + "once_cell", "ring 0.17.6", "rustls-pki-types", - "rustls-webpki 0.102.2", + "rustls-webpki", "subtle", "zeroize", ] -[[package]] -name = "rustls-native-certs" -version = "0.6.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" -dependencies = [ - "openssl-probe", - "rustls-pemfile 1.0.3", - "schannel", - "security-framework", -] - [[package]] name = "rustls-native-certs" version = "0.7.0" @@ -3176,26 +3319,44 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.3.1" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ede67b28608b4c60685c7d54122d4400d90f62b40caee7700e700380a390fa8" +checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" [[package]] -name = "rustls-webpki" -version = "0.101.5" +name = "rustls-platform-verifier" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45a27e3b59326c16e23d30aeb7a36a24cc0d29e71d68ff611cdfb4a01d013bed" +checksum = "b5f0d26fa1ce3c790f9590868f0109289a044acb954525f933e2aa3b871c157d" dependencies = [ - "ring 0.16.20", - "untrusted 0.7.1", + "core-foundation", + "core-foundation-sys", + "jni", + "log", + "once_cell", + "rustls", + "rustls-native-certs", + "rustls-platform-verifier-android", + "rustls-webpki", + "security-framework", + "security-framework-sys", + "webpki-roots", + "winapi", ] +[[package]] +name = "rustls-platform-verifier-android" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "84e217e7fdc8466b5b35d30f8c0a30febd29173df4a3a0c2115d306b9c4117ad" + [[package]] name = "rustls-webpki" -version = "0.102.2" +version = "0.102.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" +checksum = "ff448f7e92e913c4b7d4c6d8e4540a1724b319b4152b8aef6d4cf8339712b33e" dependencies = [ + "aws-lc-rs", "ring 0.17.6", "rustls-pki-types", "untrusted 0.9.0", @@ -3255,16 +3416,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "sct" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" -dependencies = [ - "ring 0.16.20", - "untrusted 0.7.1", -] - [[package]] name = "secrecy" version = "0.8.0" @@ -3277,22 +3428,23 @@ dependencies = [ [[package]] name = "security-framework" -version = "2.9.2" +version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de" +checksum = "c627723fd09706bacdb5cf41499e95098555af3c3c29d014dc3c458ef6be11c0" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.5.0", "core-foundation", "core-foundation-sys", "libc", + "num-bigint", "security-framework-sys", ] [[package]] name = "security-framework-sys" -version = "2.9.1" +version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a" +checksum = "317936bbbd05227752583946b9e66d7ce3b489f84e11a94a510b4437fef407d7" dependencies = [ "core-foundation-sys", "libc", @@ -3514,6 +3666,12 @@ dependencies = [ "dirs", ] +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "signal-hook" version = "0.3.17" @@ -4027,21 +4185,11 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.24.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" -dependencies = [ - "rustls 0.21.7", - "tokio", -] - -[[package]] -name = "tokio-rustls" -version = "0.25.0" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ - "rustls 0.22.4", + "rustls", "rustls-pki-types", "tokio", ] @@ -4619,6 +4767,18 @@ dependencies = [ "rustls-pki-types", ] +[[package]] +name = "which" +version = "4.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" +dependencies = [ + "either", + "home", + "once_cell", + "rustix 0.38.32", +] + [[package]] name = "win-sys" version = "0.3.1" @@ -5112,8 +5272,8 @@ dependencies = [ "base64 0.21.4", "flume", "futures", - "rustls 0.22.4", - "rustls-webpki 0.102.2", + "rustls", + "rustls-webpki", "serde", "tokio", "tokio-util", @@ -5137,14 +5297,13 @@ dependencies = [ "base64 0.21.4", "futures", "quinn", - "rustls 0.21.7", - "rustls-native-certs 0.7.0", - "rustls-pemfile 1.0.3", + "rustls", + "rustls-pemfile 2.0.0", "rustls-pki-types", - "rustls-webpki 0.102.2", + "rustls-webpki", "secrecy", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls", "tokio-util", "tracing", "webpki-roots", @@ -5203,13 +5362,13 @@ dependencies = [ "async-trait", "base64 0.21.4", "futures", - "rustls 0.22.4", + "rustls", "rustls-pemfile 2.0.0", "rustls-pki-types", - "rustls-webpki 0.102.2", + "rustls-webpki", "secrecy", "tokio", - "tokio-rustls 0.25.0", + "tokio-rustls", "tokio-util", "tracing", "webpki-roots", @@ -5614,3 +5773,17 @@ name = "zeroize" version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" +dependencies = [ + "zeroize_derive", +] + +[[package]] +name = "zeroize_derive" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.33", +] diff --git a/Cargo.toml b/Cargo.toml index 9036521c78..cab6f4939a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -122,7 +122,7 @@ petgraph = "0.6.3" pnet = "0.34" pnet_datalink = "0.34" proc-macro2 = "1.0.51" -quinn = "0.10.1" +quinn = "0.11.1" quote = "1.0.23" rand = { version = "0.8.5", default-features = false } # Default features are disabled due to usage in no_std crates rand_chacha = "0.3.1" @@ -132,7 +132,7 @@ ron = "0.8.1" ringbuffer-spsc = "0.1.9" rsa = "0.9" rustc_version = "0.4.0" -rustls = "0.22.2" +rustls = "0.23.9" rustls-native-certs = "0.7.0" rustls-pemfile = "2.0.0" rustls-webpki = "0.102.0" @@ -155,7 +155,7 @@ token-cell = { version = "1.4.2", default-features = false } tokio = { version = "1.35.1", default-features = false } # Default features are disabled due to some crates' requirements tokio-util = "0.7.10" tokio-tungstenite = "0.21" -tokio-rustls = "0.25.0" +tokio-rustls = "0.26.0" # tokio-vsock = see: io/zenoh-links/zenoh-link-vsock/Cargo.toml (workspaces does not support platform dependent dependencies) console-subscriber = "0.2" typenum = "1.16.0" diff --git a/io/zenoh-link-commons/Cargo.toml b/io/zenoh-link-commons/Cargo.toml index 12b70cad6d..0a92ab2528 100644 --- a/io/zenoh-link-commons/Cargo.toml +++ b/io/zenoh-link-commons/Cargo.toml @@ -32,7 +32,7 @@ async-trait = { workspace = true } base64 = { workspace = true, optional = true } flume = { workspace = true } futures = { workspace = true } -rustls = { workspace = true } +rustls = { workspace = true, features = ["ring"]} rustls-webpki = { workspace = true } serde = { workspace = true, features = ["default"] } tokio = { workspace = true, features = [ diff --git a/io/zenoh-links/zenoh-link-quic/Cargo.toml b/io/zenoh-links/zenoh-link-quic/Cargo.toml index 0e1c720d78..d86e75847b 100644 --- a/io/zenoh-links/zenoh-link-quic/Cargo.toml +++ b/io/zenoh-links/zenoh-link-quic/Cargo.toml @@ -29,8 +29,9 @@ async-trait = { workspace = true } base64 = { workspace = true } futures = { workspace = true } quinn = { workspace = true } -rustls-native-certs = { workspace = true } -rustls-pki-types = { workspace = true } +rustls = { workspace = true } +rustls-pemfile = { workspace = true } +rustls-pki-types = { workspace = true } rustls-webpki = { workspace = true } secrecy = { workspace = true } tokio = { workspace = true, features = [ @@ -40,6 +41,7 @@ tokio = { workspace = true, features = [ "sync", "time", ] } +tokio-rustls = { workspace = true } tokio-util = { workspace = true, features = ["rt"] } tracing = { workspace = true } webpki-roots = { workspace = true } @@ -51,7 +53,3 @@ zenoh-result = { workspace = true } zenoh-runtime = { workspace = true } zenoh-sync = { workspace = true } zenoh-util = { workspace = true } -# Lock due to quinn not supporting rustls 0.22 yet -rustls = { version = "0.21", features = ["dangerous_configuration", "quic"] } -tokio-rustls = "0.24.1" -rustls-pemfile = { version = "1" } diff --git a/io/zenoh-links/zenoh-link-quic/src/lib.rs b/io/zenoh-links/zenoh-link-quic/src/lib.rs index 0c9bc7365e..deed695ace 100644 --- a/io/zenoh-links/zenoh-link-quic/src/lib.rs +++ b/io/zenoh-links/zenoh-link-quic/src/lib.rs @@ -26,7 +26,6 @@ use zenoh_result::ZResult; mod unicast; mod utils; -mod verify; pub use unicast::*; pub use utils::TlsConfigurator as QuicConfigurator; diff --git a/io/zenoh-links/zenoh-link-quic/src/unicast.rs b/io/zenoh-links/zenoh-link-quic/src/unicast.rs index 452fd8a122..d134315c3f 100644 --- a/io/zenoh-links/zenoh-link-quic/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-quic/src/unicast.rs @@ -13,11 +13,11 @@ // use crate::{ - config::*, utils::{get_quic_addr, TlsClientConfig, TlsServerConfig}, ALPN_QUIC_HTTP, QUIC_ACCEPT_THROTTLE_TIME, QUIC_DEFAULT_MTU, QUIC_LOCATOR_PREFIX, }; use async_trait::async_trait; +use quinn::crypto::rustls::{QuicClientConfig, QuicServerConfig}; use std::fmt; use std::net::IpAddr; use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr}; @@ -68,7 +68,7 @@ impl LinkUnicastTrait for LinkUnicastQuic { tracing::trace!("Closing QUIC link: {}", self); // Flush the QUIC stream let mut guard = zasynclock!(self.send); - if let Err(e) = guard.finish().await { + if let Err(e) = guard.finish() { tracing::trace!("Error closing QUIC stream {}: {}", self, e); } self.connection.close(quinn::VarInt::from_u32(0), &[0]); @@ -206,15 +206,6 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic { let addr = get_quic_addr(&epaddr).await?; - let server_name_verification: bool = epconf - .get(TLS_SERVER_NAME_VERIFICATION) - .unwrap_or(TLS_SERVER_NAME_VERIFICATION_DEFAULT) - .parse()?; - - if !server_name_verification { - tracing::warn!("Skipping name verification of servers"); - } - // Initialize the QUIC connection let mut client_crypto = TlsClientConfig::new(&epconf) .await @@ -230,9 +221,12 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic { }; let mut quic_endpoint = quinn::Endpoint::client(SocketAddr::new(ip_addr, 0)) .map_err(|e| zerror!("Can not create a new QUIC link bound to {}: {}", host, e))?; - quic_endpoint.set_default_client_config(quinn::ClientConfig::new(Arc::new( - client_crypto.client_config, - ))); + + let quic_config: QuicClientConfig = client_crypto + .client_config + .try_into() + .map_err(|e| zerror!("Can not create a new QUIC link bound to {host}: {e}"))?; + quic_endpoint.set_default_client_config(quinn::ClientConfig::new(Arc::new(quic_config))); let src_addr = quic_endpoint .local_addr() @@ -276,8 +270,17 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic { .map_err(|e| zerror!("Cannot create a new QUIC listener on {addr}: {e}"))?; server_crypto.server_config.alpn_protocols = ALPN_QUIC_HTTP.iter().map(|&x| x.into()).collect(); - let mut server_config = - quinn::ServerConfig::with_crypto(Arc::new(server_crypto.server_config)); + + // Install rustls provider + rustls::crypto::ring::default_provider() + .install_default() + .ok(); + + let quic_config: QuicServerConfig = server_crypto + .server_config + .try_into() + .map_err(|e| zerror!("Can not create a new QUIC listener on {addr}: {e}"))?; + let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_config)); // We do not accept unidireactional streams. Arc::get_mut(&mut server_config.transport) diff --git a/io/zenoh-links/zenoh-link-quic/src/utils.rs b/io/zenoh-links/zenoh-link-quic/src/utils.rs index 40367599cb..7231ee719b 100644 --- a/io/zenoh-links/zenoh-link-quic/src/utils.rs +++ b/io/zenoh-links/zenoh-link-quic/src/utils.rs @@ -12,16 +12,13 @@ // ZettaScale Zenoh Team, // use crate::config::*; -use crate::verify::WebPkiVerifierAnyServerName; -use rustls::OwnedTrustAnchor; use rustls::{ - server::AllowAnyAuthenticatedClient, version::TLS13, Certificate, ClientConfig, PrivateKey, - RootCertStore, ServerConfig, + pki_types::{CertificateDer, PrivateKeyDer, TrustAnchor}, + server::WebPkiClientVerifier, + version::TLS13, + ClientConfig, RootCertStore, ServerConfig, }; -use rustls_pki_types::{CertificateDer, TrustAnchor}; use secrecy::ExposeSecret; -use zenoh_link_commons::ConfigurationInspector; -// use rustls_pki_types::{CertificateDer, PrivateKeyDer, TrustAnchor}; use std::fs::File; use std::io; use std::net::SocketAddr; @@ -31,6 +28,7 @@ use std::{ }; use webpki::anchor_from_trusted_cert; use zenoh_config::Config as ZenohConfig; +use zenoh_link_commons::{tls::WebPkiVerifierAnyServerName, ConfigurationInspector}; use zenoh_protocol::core::endpoint::Config; use zenoh_protocol::core::endpoint::{self, Address}; use zenoh_result::{bail, zerror, ZError, ZResult}; @@ -160,40 +158,40 @@ impl TlsServerConfig { let tls_server_private_key = TlsServerConfig::load_tls_private_key(config).await?; let tls_server_certificate = TlsServerConfig::load_tls_certificate(config).await?; - let certs: Vec = + let certs: Vec = rustls_pemfile::certs(&mut Cursor::new(&tls_server_certificate)) - .map_err(|err| zerror!("Error processing server certificate: {err}."))? - .into_iter() - .map(Certificate) - .collect(); + .collect::>() + .map_err(|err| zerror!("Error processing server certificate: {err}."))?; - let mut keys: Vec = + let mut keys: Vec = rustls_pemfile::rsa_private_keys(&mut Cursor::new(&tls_server_private_key)) - .map_err(|err| zerror!("Error processing server key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing server key: {err}."))?; if keys.is_empty() { keys = rustls_pemfile::pkcs8_private_keys(&mut Cursor::new(&tls_server_private_key)) - .map_err(|err| zerror!("Error processing server key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing server key: {err}."))?; } if keys.is_empty() { keys = rustls_pemfile::ec_private_keys(&mut Cursor::new(&tls_server_private_key)) - .map_err(|err| zerror!("Error processing server key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing server key: {err}."))?; } if keys.is_empty() { bail!("No private key found for TLS server."); } + // Install rustls provider + rustls::crypto::ring::default_provider() + .install_default() + .ok(); + let sc = if tls_server_client_auth { let root_cert_store = load_trust_anchors(config)?.map_or_else( || { @@ -203,17 +201,13 @@ impl TlsServerConfig { }, Ok, )?; - let client_auth = AllowAnyAuthenticatedClient::new(root_cert_store); - ServerConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() - .with_protocol_versions(&[&TLS13])? - .with_client_cert_verifier(Arc::new(client_auth)) + let client_auth = WebPkiClientVerifier::builder(root_cert_store.into()).build()?; + ServerConfig::builder_with_protocol_versions(&[&TLS13]) + .with_client_cert_verifier(client_auth) .with_single_cert(certs, keys.remove(0)) .map_err(|e| zerror!(e))? } else { ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_single_cert(certs, keys.remove(0)) .map_err(|e| zerror!(e))? @@ -271,68 +265,55 @@ impl TlsClientConfig { // Allows mixed user-generated CA and webPKI CA tracing::debug!("Loading default Web PKI certificates."); let mut root_cert_store = RootCertStore { - roots: webpki_roots::TLS_SERVER_ROOTS - .iter() - .map(|ta| ta.to_owned()) - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject.to_vec(), - ta.subject_public_key_info.to_vec(), - ta.name_constraints.map(|nc| nc.to_vec()), - ) - }) - .collect(), + roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(), }; if let Some(custom_root_cert) = load_trust_anchors(config)? { tracing::debug!("Loading user-generated certificates."); - root_cert_store.roots.extend(custom_root_cert.roots); + root_cert_store.extend(custom_root_cert.roots); } + // Install rustls provider + rustls::crypto::ring::default_provider() + .install_default() + .ok(); + let cc = if tls_client_server_auth { tracing::debug!("Loading client authentication key and certificate..."); let tls_client_private_key = TlsClientConfig::load_tls_private_key(config).await?; let tls_client_certificate = TlsClientConfig::load_tls_certificate(config).await?; - let certs: Vec = + let certs: Vec = rustls_pemfile::certs(&mut Cursor::new(&tls_client_certificate)) - .map_err(|err| zerror!("Error processing client certificate: {err}."))? - .into_iter() - .map(Certificate) - .collect(); + .collect::>() + .map_err(|err| zerror!("Error processing client certificate: {err}."))?; - let mut keys: Vec = + let mut keys: Vec = rustls_pemfile::rsa_private_keys(&mut Cursor::new(&tls_client_private_key)) - .map_err(|err| zerror!("Error processing client key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing client key: {err}."))?; if keys.is_empty() { keys = rustls_pemfile::pkcs8_private_keys(&mut Cursor::new(&tls_client_private_key)) - .map_err(|err| zerror!("Error processing client key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing client key: {err}."))?; } if keys.is_empty() { keys = rustls_pemfile::ec_private_keys(&mut Cursor::new(&tls_client_private_key)) - .map_err(|err| zerror!("Error processing client key: {err}."))? - .into_iter() - .map(PrivateKey) - .collect(); + .map(|x| x.map(PrivateKeyDer::from)) + .collect::>() + .map_err(|err| zerror!("Error processing client key: {err}."))?; } if keys.is_empty() { bail!("No private key found for TLS client."); } - let builder = ClientConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() - .with_protocol_versions(&[&TLS13])?; + let builder = ClientConfig::builder_with_protocol_versions(&[&TLS13]); if tls_server_name_verification { builder @@ -340,6 +321,7 @@ impl TlsClientConfig { .with_client_auth_cert(certs, keys.remove(0)) } else { builder + .dangerous() .with_custom_certificate_verifier(Arc::new(WebPkiVerifierAnyServerName::new( root_cert_store, ))) @@ -347,17 +329,14 @@ impl TlsClientConfig { } .map_err(|e| zerror!("Bad certificate/key: {}", e))? } else { - let builder = ClientConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() - .with_protocol_versions(&[&TLS13])?; - + let builder = ClientConfig::builder(); if tls_server_name_verification { builder .with_root_certificates(root_cert_store) .with_no_client_auth() } else { builder + .dangerous() .with_custom_certificate_verifier(Arc::new(WebPkiVerifierAnyServerName::new( root_cert_store, ))) @@ -388,30 +367,19 @@ impl TlsClientConfig { } } -fn process_pem(pem: &mut dyn io::BufRead) -> ZResult> { +fn process_pem(pem: &mut dyn io::BufRead) -> ZResult>> { let certs: Vec = rustls_pemfile::certs(pem) - .map_err(|err| zerror!("Error processing PEM certificates: {err}."))? - .into_iter() - .map(CertificateDer::from) - .collect(); + .map(|result| result.map_err(|err| zerror!("Error processing PEM certificates: {err}."))) + .collect::, ZError>>()?; - let trust_anchors: Vec = certs + let trust_anchors: Vec = certs .into_iter() .map(|cert| { anchor_from_trusted_cert(&cert) .map_err(|err| zerror!("Error processing trust anchor: {err}.")) .map(|trust_anchor| trust_anchor.to_owned()) }) - .collect::, ZError>>()? - .into_iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject.to_vec(), - ta.subject_public_key_info.to_vec(), - ta.name_constraints.map(|nc| nc.to_vec()), - ) - }) - .collect(); + .collect::, ZError>>()?; Ok(trust_anchors) } @@ -472,7 +440,7 @@ fn load_trust_anchors(config: &Config<'_>) -> ZResult> { if let Some(value) = config.get(TLS_ROOT_CA_CERTIFICATE_RAW) { let mut pem = BufReader::new(value.as_bytes()); let trust_anchors = process_pem(&mut pem)?; - root_cert_store.roots.extend(trust_anchors); + root_cert_store.extend(trust_anchors); return Ok(Some(root_cert_store)); } @@ -480,14 +448,14 @@ fn load_trust_anchors(config: &Config<'_>) -> ZResult> { let certificate_pem = base64_decode(b64_certificate)?; let mut pem = BufReader::new(certificate_pem.as_slice()); let trust_anchors = process_pem(&mut pem)?; - root_cert_store.roots.extend(trust_anchors); + root_cert_store.extend(trust_anchors); return Ok(Some(root_cert_store)); } if let Some(filename) = config.get(TLS_ROOT_CA_CERTIFICATE_FILE) { let mut pem = BufReader::new(File::open(filename)?); let trust_anchors = process_pem(&mut pem)?; - root_cert_store.roots.extend(trust_anchors); + root_cert_store.extend(trust_anchors); return Ok(Some(root_cert_store)); } Ok(None) diff --git a/io/zenoh-links/zenoh-link-quic/src/verify.rs b/io/zenoh-links/zenoh-link-quic/src/verify.rs deleted file mode 100644 index baa7864246..0000000000 --- a/io/zenoh-links/zenoh-link-quic/src/verify.rs +++ /dev/null @@ -1,42 +0,0 @@ -use rustls::client::verify_server_cert_signed_by_trust_anchor; -use rustls::server::ParsedCertificate; -use std::time::SystemTime; -use tokio_rustls::rustls::{ - client::{ServerCertVerified, ServerCertVerifier}, - Certificate, RootCertStore, ServerName, -}; - -impl ServerCertVerifier for WebPkiVerifierAnyServerName { - /// Will verify the certificate is valid in the following ways: - /// - Signed by a trusted `RootCertStore` CA - /// - Not Expired - fn verify_server_cert( - &self, - end_entity: &Certificate, - intermediates: &[Certificate], - _server_name: &ServerName, - _scts: &mut dyn Iterator, - _ocsp_response: &[u8], - now: SystemTime, - ) -> Result { - let cert = ParsedCertificate::try_from(end_entity)?; - verify_server_cert_signed_by_trust_anchor(&cert, &self.roots, intermediates, now)?; - Ok(ServerCertVerified::assertion()) - } -} - -/// `ServerCertVerifier` that verifies that the server is signed by a trusted root, but allows any serverName -/// see the trait impl for more information. -pub struct WebPkiVerifierAnyServerName { - roots: RootCertStore, -} - -#[allow(unreachable_pub)] -impl WebPkiVerifierAnyServerName { - /// Constructs a new `WebPkiVerifierAnyServerName`. - /// - /// `roots` is the set of trust anchors to trust for issuing server certs. - pub fn new(roots: RootCertStore) -> Self { - Self { roots } - } -} diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index f62757523c..c3785fef57 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -188,6 +188,11 @@ impl TlsServerConfig { bail!("No private key found for TLS server."); } + // Install rustls provider + rustls::crypto::ring::default_provider() + .install_default() + .ok(); + let sc = if tls_server_client_auth { let root_cert_store = load_trust_anchors(config)?.map_or_else( || { @@ -269,6 +274,11 @@ impl TlsClientConfig { root_cert_store.extend(custom_root_cert.roots); } + // Install rustls provider + rustls::crypto::ring::default_provider() + .install_default() + .ok(); + let cc = if tls_client_server_auth { tracing::debug!("Loading client authentication key and certificate..."); let tls_client_private_key = TlsClientConfig::load_tls_private_key(config).await?;