Upgrade deps

This commit is contained in:
Travis Burtrum 2023-08-16 22:30:32 -04:00
parent 051b7bebf6
commit a02ad734b7
8 changed files with 665 additions and 578 deletions

1152
Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@ -26,7 +26,7 @@ include = [
]
[dependencies]
toml = "0.5"
toml = "0.7"
serde_derive = "1.0"
serde = { version = "1.0", features = ["derive"] }
futures = "0.3"
@ -35,51 +35,52 @@ anyhow = "1.0"
tokio = { version = "1.9", features = ["net", "rt", "rt-multi-thread", "macros", "io-util", "signal"] }
ring = "0.16"
data-encoding = "2.3"
async-trait = "0.1.64"
async-trait = "0.1"
# logging deps
log = "0.4"
rand = { version = "0.8", optional = true, features = [] }
env_logger = { version = "0.9", optional = true, features = [] }
env_logger = { version = "0.10", optional = true, features = [] }
# incoming deps
tokio-rustls = { version = "0.23", optional = true }
tokio-rustls = { version = "0.24", optional = true }
webpki = { package = "rustls-webpki", version = "0.100", optional = true }
# outgoing deps
lazy_static = { version = "1.4", optional = true }
trust-dns-resolver = { version = "0.21", optional = true }
lazy_static = "1.4"
trust-dns-resolver = { version = "0.22", optional = true }
# todo: feature+code for dns-over-rustls
#trust-dns-resolver = { version = "0.21", features = ["dns-over-rustls"], optional = true }
webpki-roots = { version = "0.22", optional = true }
webpki-roots = { version = "0.25", optional = true }
rustls-native-certs = { version = "0.6", optional = true }
# todo: feed reqwest the roots we already have
reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
# quic deps
quinn = { version = "0.9", optional = true }
quinn = { version = "0.10", optional = true }
# shared deps needed by quic and incoming
rustls = { version = "0.20.2", optional = true }
rustls-pemfile = { version = "1.0.0", optional = true }
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
rustls-pemfile = { version = "1.0", optional = true }
# websocket deps
tokio-tungstenite = { version = "0.17", optional = true, default-features = false }
tokio-tungstenite = { version = "0.19", optional = true, default-features = false, features = ["handshake"] }
futures-util = { version = "0.3", default-features = false, features = ["async-await", "sink", "std"], optional = true }
# systemd dep
nix = { version = "0.24", optional = true, default-features = false, features = ["socket"]}
nix = { version = "0.26", optional = true, default-features = false, features = ["socket"]}
[features]
default = ["c2s-incoming", "c2s-outgoing", "s2s-incoming", "s2s-outgoing", "tls", "quic", "websocket", "logging", "tls-ca-roots-native", "systemd"]
# you must pick one of these or the other, not both: todo: enable picking both and choosing at runtime
# don't need either of these if only doing c2s-incoming
tls-ca-roots-native = ["rustls-native-certs", "lazy_static", "tokio-rustls"] # this loads CA certs from your OS
tls-ca-roots-bundled = ["webpki-roots"] # this bundles CA certs in the binary
tls-ca-roots-native = ["rustls-native-certs", "tokio-rustls", "webpki"] # this loads CA certs from your OS
tls-ca-roots-bundled = ["webpki-roots", "webpki"] # this bundles CA certs in the binary
# internal use only, ignore
srv = ["tokio-rustls", "trust-dns-resolver", "lazy_static", "reqwest"]
srv = ["tokio-rustls", "webpki", "trust-dns-resolver", "reqwest"]
incoming = ["rustls-pemfile"]
outgoing = ["srv"]
c2s = []
@ -93,7 +94,7 @@ s2s-incoming = ["incoming", "s2s"]
s2s-outgoing = ["outgoing", "s2s"]
# protocols you want to support todo: split out tls vs starttls ?
tls = ["tokio-rustls", "rustls"]
tls = ["tokio-rustls", "webpki", "rustls"]
quic = ["quinn", "rustls"]
websocket = ["tokio-tungstenite", "futures-util", "tls"] # websocket+incoming also enables incoming TLS support as it's free

View File

@ -66,6 +66,12 @@ echo_cargo() {
#cargo run "$@" -- -v
echo cargo check "$@"
cargo check "$@"
ret=$?
if [ $ret -ne 0 ]
then
echo "features failed: $@"
fi
return $ret
}
#all_features | sort -u | wc -l; exit 0
@ -77,3 +83,5 @@ echo_cargo
all_features | sort | xargs -n1 --max-procs=$threads bash -c 'echo_cargo --no-default-features --features "$@" || exit 255' _
echo good!

View File

@ -1,8 +1,21 @@
#[cfg(feature = "tokio-rustls")]
use tokio_rustls::webpki::{TlsServerTrustAnchors, TrustAnchor};
#[cfg(feature = "webpki")]
use webpki::{TlsServerTrustAnchors, TrustAnchor};
#[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))]
pub use webpki_roots::TLS_SERVER_ROOTS;
lazy_static::lazy_static! {
pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
for ta in webpki_roots::TLS_SERVER_ROOTS {
let ta = TrustAnchor {
subject: ta.subject,
spki: ta.spki,
name_constraints: ta.name_constraints,
};
root_cert_store.push(ta);
}
TlsServerTrustAnchors(root_cert_store)
};
}
#[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))]
lazy_static::lazy_static! {
@ -23,7 +36,7 @@ lazy_static::lazy_static! {
pub fn root_cert_store() -> rustls::RootCertStore {
use rustls::{OwnedTrustAnchor, RootCertStore};
let mut root_cert_store = RootCertStore::empty();
root_cert_store.add_server_trust_anchors(
root_cert_store.add_trust_anchors(
TLS_SERVER_ROOTS
.0
.iter()

View File

@ -62,7 +62,7 @@ impl ServerCerts {
pub fn sni(&self) -> Option<String> {
match self {
ServerCerts::Tls(c) => c.sni_hostname().map(|s| s.to_string()),
ServerCerts::Tls(c) => c.server_name().map(|s| s.to_string()),
#[cfg(feature = "quic")]
ServerCerts::Quic(c) => c.handshake_data().and_then(|v| v.downcast::<quinn::crypto::rustls::HandshakeData>().ok()).and_then(|h| h.server_name),
}

View File

@ -12,7 +12,7 @@ use tokio::task::JoinHandle;
pub fn spawn_quic_listener(udp_socket: UdpSocket, config: CloneableConfig, server_config: ServerConfig) -> JoinHandle<Result<()>> {
let local_addr = udp_socket.local_addr().die("cannot get local_addr for quic socket");
let incoming = Endpoint::new(EndpointConfig::default(), Some(server_config), udp_socket, TokioRuntime).die("cannot listen on port/interface");
let incoming = Endpoint::new(EndpointConfig::default(), Some(server_config), udp_socket, Arc::new(TokioRuntime)).die("cannot listen on port/interface");
tokio::spawn(async move {
// when could this return None, do we quit?
while let Some(incoming_conn) = incoming.accept().await {

View File

@ -22,7 +22,6 @@ use std::{
net::{IpAddr, SocketAddr},
sync::Arc,
};
use tokio_rustls::webpki::{DnsName, DnsNameRef};
#[cfg(feature = "websocket")]
use tokio_tungstenite::tungstenite::http::Uri;
use trust_dns_resolver::{
@ -30,6 +29,7 @@ use trust_dns_resolver::{
lookup::{SrvLookup, TxtLookup},
IntoName, TokioAsyncResolver,
};
use webpki::{DnsName, DnsNameRef};
lazy_static::lazy_static! {
static ref RESOLVER: TokioAsyncResolver = make_resolver();

View File

@ -7,10 +7,10 @@ use ring::digest::SHA256;
use rustls::{
client::{ServerCertVerified, ServerCertVerifier},
server::{ClientCertVerified, ClientCertVerifier},
Certificate, DistinguishedNames, Error, ServerName,
Certificate, CertificateError, DistinguishedName, Error, ServerName,
};
use std::{convert::TryFrom, time::SystemTime};
use tokio_rustls::{webpki, webpki::DnsName};
use webpki::DnsName;
type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
@ -34,10 +34,9 @@ static SUPPORTED_SIG_ALGS: SignatureAlgorithms = &[
pub fn pki_error(error: webpki::Error) -> Error {
use webpki::Error::*;
match error {
BadDer | BadDerTime => Error::InvalidCertificateEncoding,
InvalidSignatureForPublicKey => Error::InvalidCertificateSignature,
UnsupportedSignatureAlgorithm | UnsupportedSignatureAlgorithmForPublicKey => Error::InvalidCertificateSignatureType,
e => Error::InvalidCertificateData(format!("invalid peer certificate: {}", e)),
BadDer | BadDerTime => Error::InvalidCertificate(CertificateError::BadEncoding),
InvalidSignatureForPublicKey | UnsupportedSignatureAlgorithm | UnsupportedSignatureAlgorithmForPublicKey => Error::InvalidCertificate(CertificateError::BadSignature),
e => Error::General(format!("invalid peer certificate: {}", e)),
}
}
@ -58,12 +57,12 @@ impl ClientCertVerifier for AllowAnonymousOrAnyCert {
true
}
fn client_auth_mandatory(&self) -> Option<bool> {
Some(false)
fn client_auth_mandatory(&self) -> bool {
false
}
fn client_auth_root_subjects(&self) -> Option<DistinguishedNames> {
Some(Vec::new())
fn client_auth_root_subjects(&self) -> &[DistinguishedName] {
&[]
}
fn verify_client_cert(&self, _: &Certificate, _: &[Certificate], _: SystemTime) -> Result<ClientCertVerified, Error> {
@ -125,12 +124,12 @@ impl XmppServerCertVerifier {
let cert = verify_is_valid_tls_server_cert(end_entity, intermediates, now)?;
for name in &self.names {
if cert.verify_is_valid_for_dns_name(name.as_ref()).is_ok() {
if cert.verify_is_valid_for_subject_name(webpki::SubjectNameRef::DnsName(name.as_ref())).is_ok() {
return Ok(ServerCertVerified::assertion());
}
}
Err(Error::InvalidCertificateData(format!("invalid peer certificate: all validation attempts failed: {:?}", end_entity)))
Err(Error::General(format!("invalid peer certificate: all validation attempts failed: {:?}", end_entity)))
}
}