bump quinn & rustls

Cargo.toml

@@ -122,7 +122,7 @@ petgraph = "0.6.3"
 pnet = "0.34"
 pnet_datalink = "0.34"
 proc-macro2 = "1.0.51"
-quinn = "0.10.1"
+quinn = "0.11.1"
 quote = "1.0.23"
 rand = { version = "0.8.5", default-features = false } # Default features are disabled due to usage in no_std crates
 rand_chacha = "0.3.1"
@@ -132,7 +132,11 @@ ron = "0.8.1"
 ringbuffer-spsc = "0.1.9"
 rsa = "0.9"
 rustc_version = "0.4.0"
-rustls = "0.22.2"
+rustls = { version = "0.23.9", default-features = false, features = [
+  "logging",
+  "tls12",
+  "ring",
+] }
 rustls-native-certs = "0.7.0"
 rustls-pemfile = "2.0.0"
 rustls-webpki = "0.102.0"
@@ -155,7 +159,7 @@ token-cell = { version = "1.4.2", default-features = false }
 tokio = { version = "1.35.1", default-features = false } # Default features are disabled due to some crates' requirements
 tokio-util = "0.7.10"
 tokio-tungstenite = "0.21"
-tokio-rustls = "0.25.0"
+tokio-rustls = { version = "0.26.0", default-features = false }
 # tokio-vsock = see: io/zenoh-links/zenoh-link-vsock/Cargo.toml (workspaces does not support platform dependent dependencies)
 console-subscriber = "0.2"
 typenum = "1.16.0"

io/zenoh-links/zenoh-link-quic/Cargo.toml

@@ -29,8 +29,9 @@ async-trait = { workspace = true }
 base64 = { workspace = true }
 futures = { workspace = true }
 quinn = { workspace = true }
-rustls-native-certs = { workspace = true }
-rustls-pki-types =  { workspace = true }
+rustls = { workspace = true }
+rustls-pemfile = { workspace = true }
+rustls-pki-types = { workspace = true }
 rustls-webpki = { workspace = true }
 secrecy = { workspace = true }
 tokio = { workspace = true, features = [
@@ -40,6 +41,7 @@ tokio = { workspace = true, features = [
   "sync",
   "time",
 ] }
+tokio-rustls = { workspace = true }
 tokio-util = { workspace = true, features = ["rt"] }
 tracing = { workspace = true }
 webpki-roots = { workspace = true }
@@ -51,7 +53,3 @@ zenoh-result = { workspace = true }
 zenoh-runtime = { workspace = true }
 zenoh-sync = { workspace = true }
 zenoh-util = { workspace = true }
-# Lock due to quinn not supporting rustls 0.22 yet
-rustls = { version = "0.21", features = ["dangerous_configuration", "quic"] }
-tokio-rustls = "0.24.1"
-rustls-pemfile = { version = "1" }

io/zenoh-links/zenoh-link-quic/src/lib.rs

@@ -26,7 +26,6 @@ use zenoh_result::ZResult;
 
 mod unicast;
 mod utils;
-mod verify;
 pub use unicast::*;
 pub use utils::TlsConfigurator as QuicConfigurator;
 

io/zenoh-links/zenoh-link-quic/src/unicast.rs

@@ -13,11 +13,11 @@
 //
 
 use crate::{
-    config::*,
     utils::{get_quic_addr, TlsClientConfig, TlsServerConfig},
     ALPN_QUIC_HTTP, QUIC_ACCEPT_THROTTLE_TIME, QUIC_DEFAULT_MTU, QUIC_LOCATOR_PREFIX,
 };
 use async_trait::async_trait;
+use quinn::crypto::rustls::{QuicClientConfig, QuicServerConfig};
 use std::fmt;
 use std::net::IpAddr;
 use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr};
@@ -68,7 +68,7 @@ impl LinkUnicastTrait for LinkUnicastQuic {
         tracing::trace!("Closing QUIC link: {}", self);
         // Flush the QUIC stream
         let mut guard = zasynclock!(self.send);
-        if let Err(e) = guard.finish().await {
+        if let Err(e) = guard.finish() {
             tracing::trace!("Error closing QUIC stream {}: {}", self, e);
         }
         self.connection.close(quinn::VarInt::from_u32(0), &[0]);
@@ -206,15 +206,6 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
 
         let addr = get_quic_addr(&epaddr).await?;
 
-        let server_name_verification: bool = epconf
-            .get(TLS_SERVER_NAME_VERIFICATION)
-            .unwrap_or(TLS_SERVER_NAME_VERIFICATION_DEFAULT)
-            .parse()?;
-
-        if !server_name_verification {
-            tracing::warn!("Skipping name verification of servers");
-        }
-
         // Initialize the QUIC connection
         let mut client_crypto = TlsClientConfig::new(&epconf)
             .await
@@ -230,9 +221,12 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
         };
         let mut quic_endpoint = quinn::Endpoint::client(SocketAddr::new(ip_addr, 0))
             .map_err(|e| zerror!("Can not create a new QUIC link bound to {}: {}", host, e))?;
-        quic_endpoint.set_default_client_config(quinn::ClientConfig::new(Arc::new(
-            client_crypto.client_config,
-        )));
+
+        let quic_config: QuicClientConfig = client_crypto
+            .client_config
+            .try_into()
+            .map_err(|e| zerror!("Can not create a new QUIC link bound to {host}: {e}"))?;
+        quic_endpoint.set_default_client_config(quinn::ClientConfig::new(Arc::new(quic_config)));
 
         let src_addr = quic_endpoint
             .local_addr()
@@ -276,8 +270,22 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
             .map_err(|e| zerror!("Cannot create a new QUIC listener on {addr}: {e}"))?;
         server_crypto.server_config.alpn_protocols =
             ALPN_QUIC_HTTP.iter().map(|&x| x.into()).collect();
-        let mut server_config =
-            quinn::ServerConfig::with_crypto(Arc::new(server_crypto.server_config));
+
+        // Install ring based rustls CryptoProvider.
+        rustls::crypto::ring::default_provider()
+            // This can be called successfully at most once in any process execution.
+            // Call this early in your process to configure which provider is used for the provider.
+            // The configuration should happen before any use of ClientConfig::builder() or ServerConfig::builder().
+            .install_default()
+            // Ignore the error here, because `rustls::crypto::ring::default_provider().install_default()` will inevitably be executed multiple times
+            // when there are multiple quic links, and all but the first execution will fail.
+            .ok();
+
+        let quic_config: QuicServerConfig = server_crypto
+            .server_config
+            .try_into()
+            .map_err(|e| zerror!("Can not create a new QUIC listener on {addr}: {e}"))?;
+        let mut server_config = quinn::ServerConfig::with_crypto(Arc::new(quic_config));
 
         // We do not accept unidireactional streams.
         Arc::get_mut(&mut server_config.transport)