bumped rustls & related pkgs

warp-tech · Sep 18, 2024 · 55e2594 · 55e2594
1 parent 9ca95b7
commit 55e2594
Show file tree

Hide file tree

Showing 23 changed files with 334 additions and 221 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/warpgate-admin/Cargo.toml b/warpgate-admin/Cargo.toml
@@ -7,12 +7,12 @@ version = "0.10.2"
 [dependencies]
 anyhow = { version = "1.0", features = ["std"] }
 async-trait = "0.1"
-bytes = "1.3"
+bytes = "1.4"
 chrono = { version = "0.4", default-features = false }
 futures = "0.3"
 hex = "0.4"
 mime_guess = { version = "2.0", default-features = false }
-poem = { version = "1.3.50", features = [
+poem = { version = "1.3", features = [
     "cookie",
     "session",
     "anyhow",
@@ -26,7 +26,7 @@ poem-openapi = { version = "2.0", features = [
 ] }
 russh = { version = "0.44.1", features = ["legacy-ed25519-pkcs8-parser"] }
 rust-embed = "8.3"
-sea-orm = { version = "0.12.2", features = [
+sea-orm = { version = "0.12", features = [
     "runtime-tokio-rustls",
     "macros",
 ], default-features = false }
@@ -35,7 +35,7 @@ serde_json = "1.0"
 thiserror = "1.0"
 tokio = { version = "1.20", features = ["tracing"] }
 tracing = "0.1"
-uuid = { version = "1.2", features = ["v4", "serde"] }
+uuid = { version = "1.3", features = ["v4", "serde"] }
 warpgate-common = { version = "*", path = "../warpgate-common" }
 warpgate-core = { version = "*", path = "../warpgate-core" }
 warpgate-db-entities = { version = "*", path = "../warpgate-db-entities" }

diff --git a/warpgate-common/Cargo.toml b/warpgate-common/Cargo.toml
@@ -8,7 +8,7 @@ version = "0.10.2"
 anyhow = "1.0"
 argon2 = "0.4"
 async-trait = "0.1"
-bytes = "1.3"
+bytes = "1.4"
 chrono = { version = "0.4", default-features = false, features = ["serde"] }
 data-encoding = "2.3"
 delegate = "0.6"
@@ -38,8 +38,8 @@ totp-rs = { version = "5.0", features = ["otpauth"] }
 tracing = "0.1"
 tracing-core = "0.1"
 url = "2.2"
-uuid = { version = "1.2", features = ["v4", "serde"] }
+uuid = { version = "1.3", features = ["v4", "serde"] }
 warpgate-sso = { version = "*", path = "../warpgate-sso" }
-rustls = { version = "0.20", features = ["dangerous_configuration"] }
+rustls = { version = "0.23", features = ["ring"] }
 rustls-pemfile = "1.0"
 webpki = "0.22"
diff --git a/warpgate-common/src/tls/cert.rs b/warpgate-common/src/tls/cert.rs
@@ -2,16 +2,16 @@ use std::path::Path;
 use std::sync::Arc;
 
 use poem::listener::RustlsCertificate;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls::sign::{CertifiedKey, SigningKey};
-use rustls::{Certificate, PrivateKey};
 use tokio::fs::File;
 use tokio::io::AsyncReadExt;
 
 use crate::RustlsSetupError;
 
 pub struct TlsCertificateBundle {
     bytes: Vec<u8>,
-    certificates: Vec<Certificate>,
+    certificates: Vec<CertificateDer<'static>>,
 }
 
 pub struct TlsPrivateKey {
@@ -36,8 +36,8 @@ impl TlsCertificateBundle {
         let certificates = rustls_pemfile::certs(&mut &bytes[..]).map(|mut certs| {
             certs
                 .drain(..)
-                .map(Certificate)
-                .collect::<Vec<Certificate>>()
+                .map(CertificateDer::from)
+                .collect::<Vec<CertificateDer>>()
         })?;
         if certificates.is_empty() {
             return Err(RustlsSetupError::NoCertificates);
@@ -61,17 +61,17 @@ impl TlsPrivateKey {
         let mut key = rustls_pemfile::pkcs8_private_keys(&mut bytes.as_slice())?
             .drain(..)
             .next()
-            .map(PrivateKey);
+            .and_then(|x| PrivateKeyDer::try_from(x).ok());
 
         if key.is_none() {
             key = rustls_pemfile::rsa_private_keys(&mut bytes.as_slice())?
                 .drain(..)
                 .next()
-                .map(PrivateKey);
+                .and_then(|x| PrivateKeyDer::try_from(x).ok());
         }
 
         let key = key.ok_or(RustlsSetupError::NoKeys)?;
-        let key = rustls::sign::any_supported_type(&key)?;
+        let key = rustls::crypto::ring::sign::any_supported_type(&key)?;
 
         Ok(Self { bytes, key })
     }
@@ -105,7 +105,6 @@ impl From<TlsCertificateAndPrivateKey> for CertifiedKey {
             cert: cert.certificates,
             key: key.key,
             ocsp: None,
-            sct_list: None,
         }
     }
 }
diff --git a/warpgate-common/src/tls/error.rs b/warpgate-common/src/tls/error.rs
@@ -1,9 +1,11 @@
+use rustls::server::VerifierBuilderError;
+
 #[derive(thiserror::Error, Debug)]
 pub enum RustlsSetupError {
     #[error("rustls: {0}")]
     Rustls(#[from] rustls::Error),
-    #[error("sign: {0}")]
-    Sign(#[from] rustls::sign::SignError),
+    #[error("verifier setup: {0}")]
+    VerifierBuilder(#[from] VerifierBuilderError),
     #[error("no certificates found in certificate file")]
     NoCertificates,
     #[error("no private keys found in key file")]

diff --git a/warpgate-core/Cargo.toml b/warpgate-core/Cargo.toml
@@ -20,7 +20,7 @@ futures = "0.3"
 once_cell = "1.17"
 packet = "0.1"
 password-hash = "0.4"
-poem = { version = "1.3.50", features = ["rustls"] }
+poem = { version = "1.3", features = ["rustls"] }
 poem-openapi = { version = "2.0", features = [
     "swagger-ui",
     "chrono",
@@ -30,7 +30,7 @@ poem-openapi = { version = "2.0", features = [
 rand = "0.8"
 rand_chacha = "0.3"
 rand_core = { version = "0.6", features = ["std"] }
-sea-orm = { version = "0.12.2", features = [
+sea-orm = { version = "0.12", features = [
     "runtime-tokio-rustls",
     "macros",
 ], default-features = false }
@@ -43,9 +43,9 @@ tracing = "0.1"
 tracing-core = "0.1"
 tracing-subscriber = "0.3"
 url = "2.2"
-uuid = { version = "1.2", features = ["v4", "serde"] }
+uuid = { version = "1.3", features = ["v4", "serde"] }
 warpgate-sso = { version = "*", path = "../warpgate-sso" }
-rustls = { version = "0.20", features = ["dangerous_configuration"] }
+rustls = "0.23"
 rustls-pemfile = "1.0"
 webpki = "0.22"
 

diff --git a/warpgate-database-protocols/Cargo.toml b/warpgate-database-protocols/Cargo.toml
@@ -14,11 +14,11 @@ authors = [
 [dependencies]
 tokio = { version = "1.20", features = ["io-util"] }
 bitflags = { version = "1.3", default-features = false }
-bytes = "1.3"
+bytes = "1.4"
 futures-core = { version = "0.3", default-features = false }
 futures-util = { version = "0.3", default-features = false, features = [
     "alloc",
     "sink",
 ] }
-memchr = { version = "2.5.0", default-features = false }
+memchr = { version = "2.5", default-features = false }
 thiserror = "1.0"
diff --git a/warpgate-db-entities/Cargo.toml b/warpgate-db-entities/Cargo.toml
@@ -7,13 +7,13 @@ version = "0.10.2"
 [dependencies]
 chrono = { version = "0.4", default-features = false, features = ["serde"] }
 poem-openapi = { version = "2.0", features = ["chrono", "uuid"] }
-sea-orm = { version = "0.12.2", features = [
+sea-orm = { version = "0.12", features = [
     "macros",
     "with-chrono",
     "with-uuid",
     "with-json",
 ], default-features = false }
 serde = "1.0"
 serde_json = "1.0"
-uuid = { version = "1.2", features = ["v4", "serde"] }
+uuid = { version = "1.3", features = ["v4", "serde"] }
 warpgate-common = { version = "*", path = "../warpgate-common" }
diff --git a/warpgate-db-migrations/Cargo.toml b/warpgate-db-migrations/Cargo.toml
@@ -10,15 +10,15 @@ version = "0.10.2"
 [dependencies]
 async-std = { version = "^1.11", features = ["attributes"] }
 chrono = { version = "0.4", default-features = false, features = ["serde"] }
-sea-orm = { version = "0.12.2", features = [
+sea-orm = { version = "0.12", features = [
     "runtime-tokio-rustls",
     "macros",
     "with-chrono",
     "with-uuid",
     "with-json",
 ], default-features = false }
-sea-orm-migration = { version = "0.12.2", default-features = false, features = [
+sea-orm-migration = { version = "0.12", default-features = false, features = [
     "cli",
 ] }
-uuid = { version = "1.2", features = ["v4", "serde"] }
+uuid = { version = "1.3", features = ["v4", "serde"] }
 serde_json = "1.0"
diff --git a/warpgate-protocol-http/Cargo.toml b/warpgate-protocol-http/Cargo.toml
@@ -8,13 +8,13 @@ version = "0.10.2"
 anyhow = "1.0"
 async-trait = "0.1"
 chrono = { version = "0.4", default-features = false, features = ["serde"] }
-cookie = "0.16"
+cookie = "0.17"
 data-encoding = "2.3"
 delegate = "0.6"
 futures = "0.3"
 http = "0.2"
 once_cell = "1.17"
-poem = { version = "^1.3.50", features = [
+poem = { version = "^1.3", features = [
     "cookie",
     "session",
     "anyhow",
@@ -31,7 +31,7 @@ reqwest = { version = "0.11", features = [
 serde = "1.0"
 serde_json = "1.0"
 tokio = { version = "1.20", features = ["tracing", "signal"] }
-tokio-tungstenite = { version = "0.17", features = ["rustls-tls-native-roots"] }
+tokio-tungstenite = { version = "0.18", features = ["rustls-tls-native-roots"] }
 tracing = "0.1"
 warpgate-admin = { version = "*", path = "../warpgate-admin" }
 warpgate-common = { version = "*", path = "../warpgate-common" }
@@ -40,6 +40,6 @@ warpgate-db-entities = { version = "*", path = "../warpgate-db-entities" }
 warpgate-web = { version = "*", path = "../warpgate-web" }
 warpgate-sso = { version = "*", path = "../warpgate-sso" }
 percent-encoding = "2.1"
-uuid = { version = "1.2", features = ["v4"] }
+uuid = { version = "1.3", features = ["v4"] }
 regex = "1.6"
-url = "2.4.1"
+url = "2.4"
diff --git a/warpgate-protocol-http/src/lib.rs b/warpgate-protocol-http/src/lib.rs
@@ -17,7 +17,7 @@ use std::time::Duration;
 use anyhow::{Context, Result};
 use async_trait::async_trait;
 use common::page_admin_auth;
-pub use common::{PROTOCOL_NAME, SsoLoginState};
+pub use common::{SsoLoginState, PROTOCOL_NAME};
 use http::HeaderValue;
 use logging::{get_client_ip, log_request_result, span_for_request};
 use poem::endpoint::{EmbeddedFileEndpoint, EmbeddedFilesEndpoint};

diff --git a/warpgate-protocol-mysql/Cargo.toml b/warpgate-protocol-mysql/Cargo.toml
@@ -13,15 +13,15 @@ anyhow = { version = "1.0", features = ["std"] }
 async-trait = "0.1"
 tokio = { version = "1.20", features = ["tracing", "signal"] }
 tracing = "0.1"
-uuid = { version = "1.2", features = ["v4"] }
-bytes = "1.3"
+uuid = { version = "1.3", features = ["v4"] }
+bytes = "1.4"
 mysql_common = "0.29"
 rand = "0.8"
-sha1 = "0.10.5"
+sha1 = "0.10"
 password-hash = { version = "0.2", features = ["std"] }
-rustls = { version = "0.20", features = ["dangerous_configuration"] }
+rustls = "0.23"
 rustls-pemfile = "1.0"
-tokio-rustls = "0.23"
+tokio-rustls = "0.26"
 thiserror = "1.0"
 webpki = "0.22"
 once_cell = "1.17"

diff --git a/warpgate-protocol-mysql/src/client.rs b/warpgate-protocol-mysql/src/client.rs
@@ -97,7 +97,7 @@ impl MySqlClient {
                 .upgrade((
                     target
                         .host
-                        .as_str()
+                        .clone()
                         .try_into()
                         .map_err(|_| MySqlError::InvalidDomainName)?,
                     client_config,

diff --git a/warpgate-protocol-mysql/src/lib.rs b/warpgate-protocol-mysql/src/lib.rs
@@ -64,8 +64,7 @@ impl ProtocolServer for MySQLProtocolServer {
         };
 
         let tls_config = ServerConfig::builder()
-            .with_safe_defaults()
-            .with_client_cert_verifier(NoClientAuth::new())
+            .with_client_cert_verifier(Arc::new(NoClientAuth))
             .with_cert_resolver(Arc::new(ResolveServerCert(Arc::new(
                 certificate_and_key.into(),
             ))));

diff --git a/warpgate-protocol-mysql/src/tls/maybe_tls_stream.rs b/warpgate-protocol-mysql/src/tls/maybe_tls_stream.rs
@@ -3,7 +3,8 @@ use std::sync::Arc;
 use std::task::Poll;
 
 use async_trait::async_trait;
-use rustls::{ClientConfig, ServerConfig, ServerName};
+use rustls::pki_types::ServerName;
+use rustls::{ClientConfig, ServerConfig};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tracing::*;
 
@@ -126,7 +127,7 @@ impl<S> UpgradableStream<tokio_rustls::client::TlsStream<S>> for S
 where
     S: AsyncRead + AsyncWrite + Unpin + Send,
 {
-    type UpgradeConfig = (ServerName, Arc<ClientConfig>);
+    type UpgradeConfig = (ServerName<'static>, Arc<ClientConfig>);
 
     async fn upgrade(
         mut self,