mirrors/ntex
1
0
Fork 0
mirror of https://github.com/ntex-rs/ntex.git synced 2025-04-03 21:07:39 +03:00
Code Issues Projects Releases Packages Wiki Activity

Update rustls to 0.23.x (#311)

Browse source 
* ntex-tls: update rustls

* ntex-connect: update rustls to 0.23.x

* ntex: update rustls to 0.23.x

---------

Co-authored-by: Andrey Voronkov <andrey.voronkov@sbermarket.ru>
This commit is contained in:
Andrey Voronkov 2024-03-24 09:24:29 +03:00 committed by GitHub
parent b71cad76bf
commit 5414e2096a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 114 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ntex-connect/Cargo.toml
View file

@ -50,8 +50,8 @@ thiserror = "1.0"
tls-openssl = { version="0.10", package = "openssl", optional = true }
# rustls
tls-rustls = { version = "0.21", package = "rustls", optional = true }
webpki-roots = { version = "0.25", optional = true }
tls-rustls = { version = "0.23", package = "rustls", optional = true }
webpki-roots = { version = "0.26", optional = true }
[dev-dependencies]
rand = "0.8"

16
ntex-connect/src/rustls.rs
View file

@ -1,7 +1,7 @@
use std::{fmt, io, sync::Arc};
pub use ntex_tls::rustls::TlsClientFilter;
pub use tls_rustls::{ClientConfig, ServerName};
pub use tls_rustls::{pki_types::ServerName, ClientConfig};
use ntex_bytes::PoolId;
use ntex_io::{Io, Layer};
@ -67,7 +67,7 @@ impl<T: Address> Connector<T> {
let tag = io.tag();
let config = self.config.clone();
let host = ServerName::try_from(host.as_str())
let host = ServerName::try_from(host)
.map_err(|e| io::Error::new(io::ErrorKind::Other, format!("{}", e)))?;
match TlsClientFilter::create(io, config, host.clone()).await {
@ -126,7 +126,7 @@ impl<T: Address> Service<Connect<T>> for Connector<T> {
#[cfg(test)]
mod tests {
use tls_rustls::{OwnedTrustAnchor, RootCertStore};
use tls_rustls::RootCertStore;
use super::*;
use ntex_util::future::lazy;
@ -137,16 +137,8 @@ mod tests {
ntex::service::fn_service(|_| async { Ok::<_, ()>(()) })
});
let mut cert_store = RootCertStore::empty();
cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
let cert_store = RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(cert_store)
.with_no_client_auth();
let _ = Connector::<&'static str>::new(config.clone()).clone();

8
ntex-tls/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "ntex-tls"
version = "1.0.0"
version = "1.1.0"
authors = ["ntex contributors <team@ntex.rs>"]
description = "An implementation of SSL streams for ntex backed by OpenSSL"
keywords = ["network", "framework", "async", "futures"]
@ -35,10 +35,10 @@ log = "0.4"
tls_openssl = { version = "0.10", package = "openssl", optional = true }
# rustls
tls_rust = { version = "0.21", package = "rustls", optional = true }
tls_rust = { version = "0.23", package = "rustls", optional = true }
[dev-dependencies]
ntex = { version = "1", features = ["openssl", "rustls", "tokio"] }
env_logger = "0.11"
rustls-pemfile = "1.0"
webpki-roots = "0.25"
rustls-pemfile = "2"
webpki-roots = "0.26"

12
ntex-tls/examples/rustls-client.rs
View file

@ -1,7 +1,7 @@
use std::io;
use ntex::{codec, connect, io::types::PeerAddr, util::Bytes, util::Either};
use tls_rust::{ClientConfig, OwnedTrustAnchor, RootCertStore};
use tls_rust::{ClientConfig, RootCertStore};
#[ntex::main]
async fn main() -> io::Result<()> {
@ -9,16 +9,8 @@ async fn main() -> io::Result<()> {
env_logger::init();
// rustls config
let mut cert_store = RootCertStore::empty();
cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
let cert_store = RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(cert_store)
.with_no_client_auth();

12
ntex-tls/examples/rustls-server.rs
View file

@ -3,8 +3,7 @@ use std::{fs::File, io, io::BufReader, sync::Arc};
use ntex::service::{chain_factory, fn_service};
use ntex::{codec, io::Io, server, util::Either};
use ntex_tls::rustls::TlsAcceptor;
use rustls_pemfile::{certs, rsa_private_keys};
use tls_rust::{Certificate, PrivateKey, ServerConfig};
use tls_rust::ServerConfig;
#[ntex::main]
async fn main() -> io::Result<()> {
@ -17,15 +16,10 @@ async fn main() -> io::Result<()> {
let cert_file =
&mut BufReader::new(File::open("../ntex-tls/examples/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("../ntex-tls/examples/key.pem").unwrap());
let keys = PrivateKey(rsa_private_keys(key_file).unwrap().remove(0));
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let tls_config = Arc::new(
ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap(),

8
ntex-tls/src/rustls/client.rs
View file

@ -5,7 +5,7 @@ use std::{any, cell::RefCell, future::poll_fn, sync::Arc, task::Poll};
use ntex_bytes::BufMut;
use ntex_io::{types, Filter, FilterLayer, Io, Layer, ReadBuf, WriteBuf};
use ntex_util::ready;
use tls_rust::{ClientConfig, ClientConnection, ServerName};
use tls_rust::{pki_types::ServerName, ClientConfig, ClientConnection};
use super::{PeerCert, PeerCertChain, Wrapper};
@ -33,7 +33,7 @@ impl FilterLayer for TlsClientFilter {
types::HttpProtocol::Http1
};
Some(Box::new(proto))
} else if id == any::TypeId::of::<PeerCert>() {
} else if id == any::TypeId::of::<PeerCert<'_>>() {
if let Some(cert_chain) = self.session.borrow().peer_certificates() {
if let Some(cert) = cert_chain.first() {
Some(Box::new(PeerCert(cert.to_owned())))
@ -43,7 +43,7 @@ impl FilterLayer for TlsClientFilter {
} else {
None
}
} else if id == any::TypeId::of::<PeerCertChain>() {
} else if id == any::TypeId::of::<PeerCertChain<'_>>() {
if let Some(cert_chain) = self.session.borrow().peer_certificates() {
Some(Box::new(PeerCertChain(cert_chain.to_vec())))
} else {
@ -115,7 +115,7 @@ impl TlsClientFilter {
pub async fn create<F: Filter>(
io: Io<F>,
cfg: Arc<ClientConfig>,
domain: ServerName,
domain: ServerName<'static>,
) -> Result<Io<Layer<TlsClientFilter, F>>, io::Error> {
let session = ClientConnection::new(cfg, domain)
.map_err(|err| io::Error::new(io::ErrorKind::Other, err))?;

6
ntex-tls/src/rustls/mod.rs
View file

@ -2,7 +2,7 @@
use std::{cmp, io};
use ntex_io::WriteBuf;
use tls_rust::Certificate;
use tls_rust::pki_types::CertificateDer;
mod accept;
mod client;
@ -14,11 +14,11 @@ pub use self::server::TlsServerFilter;
/// Connection's peer cert
#[derive(Debug)]
pub struct PeerCert(pub Certificate);
pub struct PeerCert<'a>(pub CertificateDer<'a>);
/// Connection's peer cert chain
#[derive(Debug)]
pub struct PeerCertChain(pub Vec<Certificate>);
pub struct PeerCertChain<'a>(pub Vec<CertificateDer<'a>>);
pub(crate) struct Wrapper<'a, 'b>(&'a WriteBuf<'b>);

4
ntex-tls/src/rustls/server.rs
View file

@ -35,7 +35,7 @@ impl FilterLayer for TlsServerFilter {
types::HttpProtocol::Http1
};
Some(Box::new(proto))
} else if id == any::TypeId::of::<PeerCert>() {
} else if id == any::TypeId::of::<PeerCert<'_>>() {
if let Some(cert_chain) = self.session.borrow().peer_certificates() {
if let Some(cert) = cert_chain.first() {
Some(Box::new(PeerCert(cert.to_owned())))
@ -45,7 +45,7 @@ impl FilterLayer for TlsServerFilter {
} else {
None
}
} else if id == any::TypeId::of::<PeerCertChain>() {
} else if id == any::TypeId::of::<PeerCertChain<'_>>() {
if let Some(cert_chain) = self.session.borrow().peer_certificates() {
Some(Box::new(PeerCertChain(cert_chain.to_vec())))
} else {

10
ntex/Cargo.toml
View file

@ -88,8 +88,8 @@ coo-kie = { version = "0.18", package = "cookie", optional = true }
tls-openssl = { version="0.10", package = "openssl", optional = true }
# rustls
tls-rustls = { version = "0.21", package = "rustls", optional = true }
webpki-roots = { version = "0.25", optional = true }
tls-rustls = { version = "0.23", package = "rustls", optional = true }
webpki-roots = { version = "0.26", optional = true }
# compression
brotli2 = { version="0.3.2", optional = true }
@ -101,6 +101,6 @@ rand = "0.8"
time = "0.3"
futures-util = "0.3"
tls-openssl = { version="0.10", package = "openssl" }
tls-rustls = { version = "0.21", package="rustls", features = ["dangerous_configuration"] }
rustls-pemfile = "1.0"
webpki-roots = "0.25"
tls-rustls = { version = "0.23", package="rustls" }
rustls-pemfile = "2"
webpki-roots = "0.26"

13
ntex/src/http/client/connector.rs
View file

@ -81,19 +81,12 @@ impl Connector {
}
#[cfg(all(not(feature = "openssl"), feature = "rustls"))]
{
use tls_rustls::{OwnedTrustAnchor, RootCertStore};
use tls_rustls::RootCertStore;
let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
let mut cert_store = RootCertStore::empty();
cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
let cert_store =
RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let mut config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(cert_store)
.with_no_client_auth();
config.alpn_protocols = protos;

65
ntex/tests/connect.rs
View file

@ -26,21 +26,14 @@ use tls_rustls::ServerConfig;
#[cfg(feature = "rustls")]
fn tls_acceptor() -> Arc<ServerConfig> {
use rustls_pemfile::{certs, pkcs8_private_keys};
use std::fs::File;
use std::io::BufReader;
use tls_rustls::{Certificate, PrivateKey};
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let key = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let key = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, key)
.unwrap();
@ -48,22 +41,43 @@ fn tls_acceptor() -> Arc<ServerConfig> {
}
mod danger {
use std::time::SystemTime;
use tls_rustls::{Certificate, ServerName};
use tls_rustls::pki_types::{CertificateDer, ServerName, UnixTime};
#[derive(Debug)]
pub struct NoCertificateVerification {}
impl tls_rustls::client::ServerCertVerifier for NoCertificateVerification {
impl tls_rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &Certificate,
_intermediates: &[Certificate],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8],
_now: SystemTime,
) -> Result<tls_rustls::client::ServerCertVerified, tls_rustls::Error> {
Ok(tls_rustls::client::ServerCertVerified::assertion())
_end_entity: &CertificateDer<'_>,
_certs: &[CertificateDer<'_>],
_hostname: &ServerName<'_>,
_ocsp: &[u8],
_now: UnixTime,
) -> Result<tls_rustls::client::danger::ServerCertVerified, tls_rustls::Error> {
Ok(tls_rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &tls_rustls::DigitallySignedStruct,
) -> Result<tls_rustls::client::danger::HandshakeSignatureValid, tls_rustls::Error> {
Ok(tls_rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &tls_rustls::DigitallySignedStruct,
) -> Result<tls_rustls::client::danger::HandshakeSignatureValid, tls_rustls::Error> {
Ok(tls_rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn supported_verify_schemes(&self) -> Vec<tls_rustls::SignatureScheme> {
vec![]
}
}
}
@ -177,10 +191,9 @@ async fn test_openssl_read_before_error() {
async fn test_rustls_string() {
use ntex::{io::types::HttpProtocol, server::rustls};
use ntex_tls::{rustls::PeerCert, rustls::PeerCertChain};
use rustls_pemfile::certs;
use std::fs::File;
use std::io::BufReader;
use tls_rustls::{Certificate, ClientConfig};
use tls_rustls::ClientConfig;
let srv = test_server(|| {
chain_factory(
@ -207,7 +220,7 @@ async fn test_rustls_string() {
});
let config = ClientConfig::builder()
.with_safe_defaults()
.dangerous()
.with_custom_certificate_verifier(Arc::new(danger::NoCertificateVerification {}))
.with_no_client_auth();
@ -220,11 +233,7 @@ async fn test_rustls_string() {
HttpProtocol::Http1
);
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let cert_chain: Vec<Certificate> = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
assert_eq!(
io.query::<PeerCert>().as_ref().unwrap().0,
*cert_chain.first().unwrap()

45
ntex/tests/http_awc_rustls_client.rs
View file

@ -35,22 +35,43 @@ fn ssl_acceptor() -> SslAcceptor {
}
mod danger {
use std::time::SystemTime;
use tls_rustls::{Certificate, ServerName};
use tls_rustls::pki_types::{CertificateDer, ServerName, UnixTime};
#[derive(Debug)]
pub struct NoCertificateVerification {}
impl tls_rustls::client::ServerCertVerifier for NoCertificateVerification {
impl tls_rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &Certificate,
_intermediates: &[Certificate],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8],
_now: SystemTime,
) -> Result<tls_rustls::client::ServerCertVerified, tls_rustls::Error> {
Ok(tls_rustls::client::ServerCertVerified::assertion())
_end_entity: &CertificateDer<'_>,
_certs: &[CertificateDer<'_>],
_hostname: &ServerName<'_>,
_ocsp: &[u8],
_now: UnixTime,
) -> Result<tls_rustls::client::danger::ServerCertVerified, tls_rustls::Error> {
Ok(tls_rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &tls_rustls::DigitallySignedStruct,
) -> Result<tls_rustls::client::danger::HandshakeSignatureValid, tls_rustls::Error> {
Ok(tls_rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &tls_rustls::DigitallySignedStruct,
) -> Result<tls_rustls::client::danger::HandshakeSignatureValid, tls_rustls::Error> {
Ok(tls_rustls::client::danger::HandshakeSignatureValid::assertion())
}
fn supported_verify_schemes(&self) -> Vec<tls_rustls::SignatureScheme> {
vec![]
}
}
}
@ -81,7 +102,7 @@ async fn test_connection_reuse_h2() {
// disable ssl verification
let mut config = ClientConfig::builder()
.with_safe_defaults()
.dangerous()
.with_custom_certificate_verifier(Arc::new(danger::NoCertificateVerification {}))
.with_no_client_auth();
let protos = vec![b"h2".to_vec(), b"http/1.1".to_vec()];

12
ntex/tests/web_httpserver.rs
View file

@ -147,8 +147,7 @@ async fn test_rustls() {
use std::{fs::File, io::BufReader};
use ntex::web::HttpRequest;
use rustls_pemfile::{certs, pkcs8_private_keys};
use tls_rustls::{Certificate, PrivateKey, ServerConfig as RustlsServerConfig};
use tls_rustls::ServerConfig as RustlsServerConfig;
let addr = TestServer::unused_addr();
let (tx, rx) = mpsc::channel();
@ -159,14 +158,9 @@ async fn test_rustls() {
// load ssl keys
let cert_file = &mut BufReader::new(File::open("./tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("./tests/key.pem").unwrap());
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let keys = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let config = RustlsServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();

36
ntex/tests/web_server.rs
View file

@ -844,8 +844,7 @@ async fn test_brotli_encoding_large_openssl_h2() {
async fn test_reading_deflate_encoding_large_random_rustls() {
use std::{fs::File, io::BufReader};
use rustls_pemfile::{certs, pkcs8_private_keys};
use tls_rustls::{Certificate, PrivateKey, ServerConfig};
use tls_rustls::ServerConfig;
let data = rand::thread_rng()
.sample_iter(&Alphanumeric)
@ -856,14 +855,9 @@ async fn test_reading_deflate_encoding_large_random_rustls() {
// load ssl keys
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let keys = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
@ -900,10 +894,9 @@ async fn test_reading_deflate_encoding_large_random_rustls() {
#[cfg(all(feature = "rustls", feature = "openssl"))]
#[ntex::test]
async fn test_reading_deflate_encoding_large_random_rustls_h1() {
use rustls_pemfile::{certs, pkcs8_private_keys};
use std::fs::File;
use std::io::BufReader;
use tls_rustls::{Certificate, PrivateKey, ServerConfig};
use tls_rustls::ServerConfig;
let data = rand::thread_rng()
.sample_iter(&Alphanumeric)
@ -914,14 +907,9 @@ async fn test_reading_deflate_encoding_large_random_rustls_h1() {
// load ssl keys
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let keys = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();
@ -960,8 +948,7 @@ async fn test_reading_deflate_encoding_large_random_rustls_h1() {
async fn test_reading_deflate_encoding_large_random_rustls_h2() {
use std::{fs::File, io::BufReader};
use rustls_pemfile::{certs, pkcs8_private_keys};
use tls_rustls::{Certificate, PrivateKey, ServerConfig};
use tls_rustls::ServerConfig;
let data = rand::thread_rng()
.sample_iter(&Alphanumeric)
@ -972,14 +959,9 @@ async fn test_reading_deflate_encoding_large_random_rustls_h2() {
// load ssl keys
let cert_file = &mut BufReader::new(File::open("tests/cert.pem").unwrap());
let key_file = &mut BufReader::new(File::open("tests/key.pem").unwrap());
let cert_chain = certs(cert_file)
.unwrap()
.iter()
.map(|c| Certificate(c.to_vec()))
.collect();
let keys = PrivateKey(pkcs8_private_keys(key_file).unwrap().remove(0));
let cert_chain = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let keys = rustls_pemfile::private_key(key_file).unwrap().unwrap();
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(cert_chain, keys)
.unwrap();