Upgrade deps

Cargo.toml

@@ -26,7 +26,7 @@ include = [
 ]
 
 [dependencies]
-toml = "0.5"
+toml = "0.7"
 serde_derive = "1.0"
 serde = { version = "1.0", features = ["derive"] }
 futures = "0.3"
@@ -35,51 +35,52 @@ anyhow = "1.0"
 tokio = { version = "1.9", features = ["net", "rt", "rt-multi-thread", "macros", "io-util", "signal"] }
 ring = "0.16"
 data-encoding = "2.3"
-async-trait = "0.1.64"
+async-trait = "0.1"
 
 
 # logging deps
 log = "0.4"
 rand = { version = "0.8", optional = true, features = [] }
-env_logger = { version = "0.9", optional = true, features = [] }
+env_logger = { version = "0.10", optional = true, features = [] }
 
 # incoming deps
-tokio-rustls = { version = "0.23", optional = true }
+tokio-rustls = { version = "0.24", optional = true }
+webpki = { package = "rustls-webpki", version = "0.100", optional = true }
 
 # outgoing deps
-lazy_static = { version = "1.4", optional = true }
+lazy_static = "1.4"
-trust-dns-resolver = { version = "0.21", optional = true }
+trust-dns-resolver = { version = "0.22", optional = true }
 # todo: feature+code for dns-over-rustls
 #trust-dns-resolver = { version = "0.21", features = ["dns-over-rustls"], optional = true }
-webpki-roots = { version = "0.22", optional = true }
+webpki-roots = { version = "0.25", optional = true }
 rustls-native-certs = { version = "0.6", optional = true }
 # todo: feed reqwest the roots we already have
 reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
 
 # quic deps
-quinn = { version = "0.9", optional = true }
+quinn = { version = "0.10", optional = true }
 
 # shared deps needed by quic and incoming
-rustls = { version = "0.20.2", optional = true }
+rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
-rustls-pemfile = { version = "1.0.0", optional = true }
+rustls-pemfile = { version = "1.0", optional = true }
 
 # websocket deps
-tokio-tungstenite = { version = "0.17", optional = true, default-features = false }
+tokio-tungstenite = { version = "0.19", optional = true, default-features = false, features = ["handshake"] }
 futures-util = { version = "0.3", default-features = false, features = ["async-await", "sink", "std"], optional = true }
 
 # systemd dep
-nix = { version = "0.24", optional = true, default-features = false, features = ["socket"]}
+nix = { version = "0.26", optional = true, default-features = false, features = ["socket"]}
 
 [features]
 default = ["c2s-incoming", "c2s-outgoing", "s2s-incoming", "s2s-outgoing", "tls", "quic", "websocket", "logging", "tls-ca-roots-native", "systemd"]
 
 # you must pick one of these or the other, not both: todo: enable picking both and choosing at runtime
 # don't need either of these if only doing c2s-incoming
-tls-ca-roots-native  = ["rustls-native-certs", "lazy_static", "tokio-rustls"] # this loads CA certs from your OS
+tls-ca-roots-native  = ["rustls-native-certs", "tokio-rustls", "webpki"] # this loads CA certs from your OS
-tls-ca-roots-bundled = ["webpki-roots"]                       # this bundles CA certs in the binary
+tls-ca-roots-bundled = ["webpki-roots", "webpki"]                        # this bundles CA certs in the binary
 
 # internal use only, ignore
-srv = ["tokio-rustls", "trust-dns-resolver", "lazy_static", "reqwest"]
+srv = ["tokio-rustls", "webpki", "trust-dns-resolver", "reqwest"]
 incoming = ["rustls-pemfile"]
 outgoing = ["srv"]
 c2s = []
@@ -93,7 +94,7 @@ s2s-incoming = ["incoming", "s2s"]
 s2s-outgoing = ["outgoing", "s2s"]
 
 # protocols you want to support todo: split out tls vs starttls ?
-tls = ["tokio-rustls", "rustls"]
+tls = ["tokio-rustls", "webpki", "rustls"]
 quic = ["quinn", "rustls"]
 websocket = ["tokio-tungstenite", "futures-util", "tls"] # websocket+incoming also enables incoming TLS support as it's free
 

check-all-features.sh

@@ -66,6 +66,12 @@ echo_cargo() {
   #cargo run "$@" -- -v
   echo cargo check "$@"
   cargo check "$@"
+  ret=$?
+  if [ $ret -ne 0 ]
+  then
+    echo "features failed: $@"
+  fi
+  return $ret
 }
 
 #all_features | sort -u | wc -l; exit 0
@@ -77,3 +83,5 @@ echo_cargo
 all_features | sort | xargs -n1 --max-procs=$threads bash -c 'echo_cargo --no-default-features --features "$@" || exit 255' _
 
 echo good!
+
+

src/common/ca_roots.rs

@@ -1,8 +1,21 @@
-#[cfg(feature = "tokio-rustls")]
+#[cfg(feature = "webpki")]
-use tokio_rustls::webpki::{TlsServerTrustAnchors, TrustAnchor};
+use webpki::{TlsServerTrustAnchors, TrustAnchor};
 
 #[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))]
-pub use webpki_roots::TLS_SERVER_ROOTS;
+lazy_static::lazy_static! {
+    pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
+        let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
+        for ta in webpki_roots::TLS_SERVER_ROOTS {
+            let ta = TrustAnchor {
+                subject: ta.subject,
+                spki: ta.spki,
+                name_constraints: ta.name_constraints,
+            };
+            root_cert_store.push(ta);
+        }
+        TlsServerTrustAnchors(root_cert_store)
+    };
+}
 
 #[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))]
 lazy_static::lazy_static! {
@@ -23,7 +36,7 @@ lazy_static::lazy_static! {
 pub fn root_cert_store() -> rustls::RootCertStore {
     use rustls::{OwnedTrustAnchor, RootCertStore};
     let mut root_cert_store = RootCertStore::empty();
-    root_cert_store.add_server_trust_anchors(
+    root_cert_store.add_trust_anchors(
         TLS_SERVER_ROOTS
             .0
             .iter()

src/common/incoming.rs

@@ -62,7 +62,7 @@ impl ServerCerts {
 
     pub fn sni(&self) -> Option<String> {
         match self {
-            ServerCerts::Tls(c) => c.sni_hostname().map(|s| s.to_string()),
+            ServerCerts::Tls(c) => c.server_name().map(|s| s.to_string()),
             #[cfg(feature = "quic")]
             ServerCerts::Quic(c) => c.handshake_data().and_then(|v| v.downcast::<quinn::crypto::rustls::HandshakeData>().ok()).and_then(|h| h.server_name),
         }

src/quic/incoming.rs

@@ -12,7 +12,7 @@ use tokio::task::JoinHandle;
 
 pub fn spawn_quic_listener(udp_socket: UdpSocket, config: CloneableConfig, server_config: ServerConfig) -> JoinHandle<Result<()>> {
     let local_addr = udp_socket.local_addr().die("cannot get local_addr for quic socket");
-    let incoming = Endpoint::new(EndpointConfig::default(), Some(server_config), udp_socket, TokioRuntime).die("cannot listen on port/interface");
+    let incoming = Endpoint::new(EndpointConfig::default(), Some(server_config), udp_socket, Arc::new(TokioRuntime)).die("cannot listen on port/interface");
     tokio::spawn(async move {
         // when could this return None, do we quit?
         while let Some(incoming_conn) = incoming.accept().await {

src/srv.rs

@@ -22,7 +22,6 @@ use std::{
     net::{IpAddr, SocketAddr},
     sync::Arc,
 };
-use tokio_rustls::webpki::{DnsName, DnsNameRef};
 #[cfg(feature = "websocket")]
 use tokio_tungstenite::tungstenite::http::Uri;
 use trust_dns_resolver::{
@@ -30,6 +29,7 @@ use trust_dns_resolver::{
     lookup::{SrvLookup, TxtLookup},
     IntoName, TokioAsyncResolver,
 };
+use webpki::{DnsName, DnsNameRef};
 
 lazy_static::lazy_static! {
     static ref RESOLVER: TokioAsyncResolver = make_resolver();

src/verify.rs

@@ -7,10 +7,10 @@ use ring::digest::SHA256;
 use rustls::{
     client::{ServerCertVerified, ServerCertVerifier},
     server::{ClientCertVerified, ClientCertVerifier},
-    Certificate, DistinguishedNames, Error, ServerName,
+    Certificate, CertificateError, DistinguishedName, Error, ServerName,
 };
 use std::{convert::TryFrom, time::SystemTime};
-use tokio_rustls::{webpki, webpki::DnsName};
+use webpki::DnsName;
 
 type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
 
@@ -34,10 +34,9 @@ static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
 pub fn pki_error(error: webpki::Error) -> Error {
     use webpki::Error::*;
     match error {
-        BadDer | BadDerTime => Error::InvalidCertificateEncoding,
+        BadDer | BadDerTime => Error::InvalidCertificate(CertificateError::BadEncoding),
-        InvalidSignatureForPublicKey => Error::InvalidCertificateSignature,
+        InvalidSignatureForPublicKey | UnsupportedSignatureAlgorithm | UnsupportedSignatureAlgorithmForPublicKey => Error::InvalidCertificate(CertificateError::BadSignature),
-        UnsupportedSignatureAlgorithm | UnsupportedSignatureAlgorithmForPublicKey => Error::InvalidCertificateSignatureType,
+        e => Error::General(format!("invalid peer certificate: {}", e)),
-        e => Error::InvalidCertificateData(format!("invalid peer certificate: {}", e)),
     }
 }
 
@@ -58,12 +57,12 @@ impl ClientCertVerifier for AllowAnonymousOrAnyCert {
         true
     }
 
-    fn client_auth_mandatory(&self) -> Option<bool> {
+    fn client_auth_mandatory(&self) -> bool {
-        Some(false)
+        false
     }
 
-    fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
+    fn client_auth_root_subjects(&self) -> &[DistinguishedName] {
-        Some(Vec::new())
+        &[]
     }
 
     fn verify_client_cert(&self, _: &Certificate, _: &[Certificate], _: SystemTime) -> Result<ClientCertVerified, Error> {
@@ -125,12 +124,12 @@ impl XmppServerCertVerifier {
         let cert = verify_is_valid_tls_server_cert(end_entity, intermediates, now)?;
 
         for name in &self.names {
-            if cert.verify_is_valid_for_dns_name(name.as_ref()).is_ok() {
+            if cert.verify_is_valid_for_subject_name(webpki::SubjectNameRef::DnsName(name.as_ref())).is_ok() {
                 return Ok(ServerCertVerified::assertion());
             }
         }
 
-        Err(Error::InvalidCertificateData(format!("invalid peer certificate: all validation attempts failed: {:?}", end_entity)))
+        Err(Error::General(format!("invalid peer certificate: all validation attempts failed: {:?}", end_entity)))
     }
 }