From 1bfb16386cdf659db8ab2b0cdf27ce71c7e5612b Mon Sep 17 00:00:00 2001 From: Tamo Date: Wed, 17 Jul 2024 14:27:29 +0200 Subject: [PATCH] Update rustls as much as possible --- Cargo.lock | 92 ++++++++------------------------------- meilisearch/Cargo.toml | 9 ++-- meilisearch/src/main.rs | 2 +- meilisearch/src/option.rs | 53 +++++++++++----------- 4 files changed, 52 insertions(+), 104 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7cdf80b8d..208943723 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -149,11 +149,11 @@ dependencies = [ "futures-core", "impl-more", "pin-project-lite", + "rustls-pki-types", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls", "tokio-util", "tracing", - "webpki-roots 0.25.3", ] [[package]] @@ -2461,12 +2461,12 @@ dependencies = [ "http 1.1.0", "hyper", "hyper-util", - "rustls 0.23.11", + "rustls", "rustls-pki-types", "tokio", - "tokio-rustls 0.26.0", + "tokio-rustls", "tower-service", - "webpki-roots 0.26.1", + "webpki-roots", ] [[package]] @@ -3395,8 +3395,9 @@ dependencies = [ "regex", "reqwest", "roaring", - "rustls 0.21.12", - "rustls-pemfile 1.0.4", + "rustls", + "rustls-pemfile", + "rustls-pki-types", "segment", "serde", "serde_json", @@ -4272,7 +4273,7 @@ dependencies = [ "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.23.11", + "rustls", "thiserror", "tokio", "tracing", @@ -4288,7 +4289,7 @@ dependencies = [ "rand", "ring", "rustc-hash", - "rustls 0.23.11", + "rustls", "slab", "thiserror", "tinyvec", @@ -4516,15 +4517,15 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.11", - "rustls-pemfile 2.1.2", + "rustls", + "rustls-pemfile", "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", "sync_wrapper", "tokio", - "tokio-rustls 0.26.0", + "tokio-rustls", "tokio-util", "tower-service", "url", @@ -4532,7 +4533,7 @@ dependencies = [ "wasm-bindgen-futures", "wasm-streams", "web-sys", - "webpki-roots 0.26.1", + "webpki-roots", "winreg", ] @@ -4682,18 +4683,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "rustls" -version = "0.21.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" -dependencies = [ - "log", - "ring", - "rustls-webpki 0.101.7", - "sct", -] - [[package]] name = "rustls" version = "0.23.11" @@ -4704,20 +4693,11 @@ dependencies = [ "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.102.5", + "rustls-webpki", "subtle", "zeroize", ] -[[package]] -name = "rustls-pemfile" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" -dependencies = [ - "base64 0.21.7", -] - [[package]] name = "rustls-pemfile" version = "2.1.2" @@ -4734,16 +4714,6 @@ version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" -[[package]] -name = "rustls-webpki" -version = "0.101.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "rustls-webpki" version = "0.102.5" @@ -4792,16 +4762,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "sct" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "seahash" version = "4.1.0" @@ -5482,23 +5442,13 @@ dependencies = [ "syn 2.0.60", ] -[[package]] -name = "tokio-rustls" -version = "0.24.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" -dependencies = [ - "rustls 0.21.12", - "tokio", -] - [[package]] name = "tokio-rustls" version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ - "rustls 0.23.11", + "rustls", "rustls-pki-types", "tokio", ] @@ -5804,13 +5754,13 @@ dependencies = [ "flate2", "log", "once_cell", - "rustls 0.23.11", + "rustls", "rustls-pki-types", "serde", "serde_json", "socks", "url", - "webpki-roots 0.26.1", + "webpki-roots", ] [[package]] @@ -6035,12 +5985,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki-roots" -version = "0.25.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" - [[package]] name = "webpki-roots" version = "0.26.1" diff --git a/meilisearch/Cargo.toml b/meilisearch/Cargo.toml index 97a10d3d9..7db47f7ad 100644 --- a/meilisearch/Cargo.toml +++ b/meilisearch/Cargo.toml @@ -17,7 +17,7 @@ actix-cors = "0.7.0" actix-http = { version = "3.8.0", default-features = false, features = [ "compress-brotli", "compress-gzip", - "rustls-0_21", + "rustls-0_23", ] } actix-utils = "3.0.1" actix-web = { version = "4.8.0", default-features = false, features = [ @@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [ "compress-brotli", "compress-gzip", "cookies", - "rustls-0_21", + "rustls-0_23", ] } anyhow = { version = "1.0.86", features = ["backtrace"] } async-trait = "0.1.81" @@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [ "rustls-tls", "json", ], default-features = false } -rustls = "0.21.12" -rustls-pemfile = "1.0.4" +rustls = { version = "0.23.11", features = ["ring"], default-features = false } +rustls-pki-types = { version = "1.7.0", features = ["alloc"] } +rustls-pemfile = "2.1.2" segment = { version = "0.2.4", optional = true } serde = { version = "1.0.204", features = ["derive"] } serde_json = { version = "1.0.120", features = ["preserve_order"] } diff --git a/meilisearch/src/main.rs b/meilisearch/src/main.rs index af02f58e1..e881734fb 100644 --- a/meilisearch/src/main.rs +++ b/meilisearch/src/main.rs @@ -151,7 +151,7 @@ async fn run_http( .keep_alive(KeepAlive::Os); if let Some(config) = opt_clone.get_ssl_config()? { - http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?; + http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?; } else { http_server.bind(&opt_clone.http_addr)?.run().await?; } diff --git a/meilisearch/src/option.rs b/meilisearch/src/option.rs index af4da1113..d1cd69c58 100644 --- a/meilisearch/src/option.rs +++ b/meilisearch/src/option.rs @@ -14,11 +14,9 @@ use clap::Parser; use meilisearch_types::features::InstanceTogglableFeatures; use meilisearch_types::milli::update::IndexerConfig; use meilisearch_types::milli::ThreadPoolNoAbortBuilder; -use rustls::server::{ - AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache, -}; +use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier}; use rustls::RootCertStore; -use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys}; +use rustls_pemfile::{certs, rsa_private_keys}; use serde::{Deserialize, Serialize}; use sysinfo::{MemoryRefreshKind, RefreshKind, System}; use url::Url; @@ -569,23 +567,21 @@ impl Opt { pub fn get_ssl_config(&self) -> anyhow::Result> { if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) { - let config = rustls::ServerConfig::builder().with_safe_defaults(); + let config = rustls::ServerConfig::builder(); let config = match &self.ssl_auth_path { Some(auth_path) => { let roots = load_certs(auth_path.to_path_buf())?; let mut client_auth_roots = RootCertStore::empty(); for root in roots { - client_auth_roots.add(&root).unwrap(); + client_auth_roots.add(root).unwrap(); } - if self.ssl_require_auth { - let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots); - config.with_client_cert_verifier(Arc::from(verifier)) - } else { - let verifier = - AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots); - config.with_client_cert_verifier(Arc::from(verifier)) + let mut client_verifier = + WebPkiClientVerifier::builder(client_auth_roots.into()); + if !self.ssl_require_auth { + client_verifier = client_verifier.allow_unauthenticated(); } + config.with_client_cert_verifier(client_verifier.build()?) } None => config.with_no_client_auth(), }; @@ -594,7 +590,7 @@ impl Opt { let privkey = load_private_key(key_path.to_path_buf())?; let ocsp = load_ocsp(&self.ssl_ocsp_path)?; let mut config = config - .with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![]) + .with_single_cert_with_ocsp(certs, privkey, ocsp) .map_err(|_| anyhow::anyhow!("bad certificates/private key"))?; config.key_log = Arc::new(rustls::KeyLogFile::new()); @@ -604,7 +600,7 @@ impl Opt { } if self.ssl_tickets { - config.ticketer = rustls::Ticketer::new().unwrap(); + config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap(); } Ok(Some(config)) @@ -769,21 +765,26 @@ impl Deref for MaxThreads { } } -fn load_certs(filename: PathBuf) -> anyhow::Result> { +fn load_certs( + filename: PathBuf, +) -> anyhow::Result>> { let certfile = fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?; let mut reader = BufReader::new(certfile); certs(&mut reader) - .map(|certs| certs.into_iter().map(rustls::Certificate).collect()) + .collect::, _>>() .map_err(|_| anyhow::anyhow!("cannot read certificate file")) } -fn load_private_key(filename: PathBuf) -> anyhow::Result { +fn load_private_key( + filename: PathBuf, +) -> anyhow::Result> { let rsa_keys = { let keyfile = fs::File::open(filename.clone()) .map_err(|_| anyhow::anyhow!("cannot open private key file"))?; let mut reader = BufReader::new(keyfile); rsa_private_keys(&mut reader) + .collect::, _>>() .map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))? }; @@ -791,19 +792,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result { let keyfile = fs::File::open(filename) .map_err(|_| anyhow::anyhow!("cannot open private key file"))?; let mut reader = BufReader::new(keyfile); - pkcs8_private_keys(&mut reader).map_err(|_| { - anyhow::anyhow!( - "file contains invalid pkcs8 private key (encrypted keys not supported)" - ) - })? + rustls_pemfile::pkcs8_private_keys(&mut reader).collect::, _>>().map_err( + |_| { + anyhow::anyhow!( + "file contains invalid pkcs8 private key (encrypted keys not supported)" + ) + }, + )? }; // prefer to load pkcs8 keys if !pkcs8_keys.is_empty() { - Ok(rustls::PrivateKey(pkcs8_keys[0].clone())) + Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key())) } else { assert!(!rsa_keys.is_empty()); - Ok(rustls::PrivateKey(rsa_keys[0].clone())) + Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key())) } }