Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.12.0: update to rustls 0.22, address breaking changes #371

Merged
merged 4 commits into from
Dec 3, 2023
Merged

v0.12.0: update to rustls 0.22, address breaking changes #371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f8523fe
Cargo: rm sct dependency
cpu Dec 2, 2023
202a782
cipher: fix TODOs for rustdoc links
cpu Dec 2, 2023
1f6fdd9
deps: update to rustls 0.22, update breaking changes
cpu Nov 30, 2023
8cd22c8
Cargo: v0.11.1 -> v0.12.0
cpu Dec 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 9 additions & 20 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 5 additions & 6 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "rustls-ffi"
version = "0.11.1"
version = "0.12.0"
authors = ["Jacob Hoffman-Andrews <[email protected]>"]
license = "Apache-2.0/ISC/MIT"
readme = "README-crates.io.md"
Expand All @@ -23,12 +23,11 @@ read_buf = ["rustls/read_buf"]

[dependencies]
# Keep in sync with RUSTLS_CRATE_VERSION in build.rs
rustls = { version = "=0.22.0-alpha.6", features = [ "ring" ]}
pki-types = { package = "rustls-pki-types", version = "0.2.3", features = ["std"] }
webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.8", features = ["std"] }
rustls = { version = "0.22", features = [ "ring" ]}
pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
webpki = { package = "rustls-webpki", version = "0.102.0", features = ["std"] }
libc = "0.2"
sct = "0.7"
rustls-pemfile = "=2.0.0-alpha.2"
rustls-pemfile = "2"
log = "0.4.17"

[lib]
Expand Down
2 changes: 1 addition & 1 deletion build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use std::io::Write;
use std::{env, fs, path::PathBuf};

// Keep in sync with Cargo.toml.
const RUSTLS_CRATE_VERSION: &str = "0.22.0-alpha.6";
const RUSTLS_CRATE_VERSION: &str = "0.22";

fn main() {
let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());
Expand Down
8 changes: 6 additions & 2 deletions src/cipher.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -675,7 +675,9 @@ impl rustls_client_cert_verifier {
/// done configuring settings, call `rustls_web_pki_client_cert_verifier_builder_build`
/// to turn it into a `rustls_client_cert_verifier`. This object is not safe
/// for concurrent mutation.
// TODO(@cpu): Add rustdoc link once available.
///
/// See <https://docs.rs/rustls/latest/rustls/server/struct.ClientCertVerifierBuilder.html>
/// for more information.
pub struct rustls_web_pki_client_cert_verifier_builder {
// We use the opaque struct pattern to tell C about our types without
// telling them what's inside.
Expand Down Expand Up @@ -943,7 +945,9 @@ impl rustls_web_pki_client_cert_verifier_builder {
/// done configuring settings, call `rustls_web_pki_server_cert_verifier_builder_build`
/// to turn it into a `rustls_server_cert_verifier`. This object is not safe
/// for concurrent mutation.
// TODO(@cpu): Add rustdoc link once available.
///
/// See <https://docs.rs/rustls/latest/rustls/client/struct.ServerCertVerifierBuilder.html>
/// for more information.
pub struct rustls_web_pki_server_cert_verifier_builder {
// We use the opaque struct pattern to tell C about our types without
// telling them what's inside.
Expand Down
33 changes: 26 additions & 7 deletions src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ use std::sync::Arc;
use libc::{c_char, size_t};
use pki_types::{CertificateDer, UnixTime};
use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
use rustls::client::{ResolvesClientCert, WebPkiServerVerifier};
use rustls::client::ResolvesClientCert;
use rustls::crypto::ring::ALL_CIPHER_SUITES;
use rustls::{
sign::CertifiedKey, CertificateError, ClientConfig, ClientConnection, DigitallySignedStruct,
Expand Down Expand Up @@ -106,7 +106,9 @@ impl ServerCertVerifier for NoneVerifier {
}

fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
WebPkiServerVerifier::default_supported_verify_schemes()
rustls::crypto::ring::default_provider()
.signature_verification_algorithms
.supported_schemes()
}
}

Expand All @@ -123,7 +125,7 @@ impl rustls_client_config_builder {
pub extern "C" fn rustls_client_config_builder_new() -> *mut rustls_client_config_builder {
ffi_panic_boundary! {
let builder = ClientConfigBuilder {
base: rustls::ClientConfig::builder().with_safe_defaults(),
base: rustls::ClientConfig::builder(),
verifier: Arc::new(NoneVerifier),
cert_resolver: None,
alpn_protocols: vec![],
Expand Down Expand Up @@ -179,7 +181,12 @@ impl rustls_client_config_builder {
}
}

let result = rustls::ClientConfig::builder().with_cipher_suites(&cs_vec).with_safe_default_kx_groups().with_protocol_versions(&versions);
let provider = rustls::crypto::CryptoProvider{
cipher_suites: cs_vec,
..rustls::crypto::ring::default_provider()
};
let result = rustls::ClientConfig::builder_with_provider(provider.into())
.with_protocol_versions(&versions);
let base = match result {
Ok(new) => new,
Err(_) => return rustls_result::InvalidParameter,
Expand Down Expand Up @@ -293,7 +300,12 @@ impl ServerCertVerifier for Verifier {
cert: &CertificateDer,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error> {
WebPkiServerVerifier::default_verify_tls12_signature(message, cert, dss)
rustls::crypto::verify_tls12_signature(
message,
cert,
dss,
&rustls::crypto::ring::default_provider().signature_verification_algorithms,
)
}

fn verify_tls13_signature(
Expand All @@ -302,11 +314,18 @@ impl ServerCertVerifier for Verifier {
cert: &CertificateDer,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error> {
WebPkiServerVerifier::default_verify_tls13_signature(message, cert, dss)
rustls::crypto::verify_tls13_signature(
message,
cert,
dss,
&rustls::crypto::ring::default_provider().signature_verification_algorithms,
)
}

fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
WebPkiServerVerifier::default_supported_verify_schemes()
rustls::crypto::ring::default_provider()
.signature_verification_algorithms
.supported_schemes()
}
}

Expand Down
5 changes: 4 additions & 1 deletion src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@ impl rustls_result {
/// inputs, including Ok, return rustls::Error::General.
pub(crate) fn cert_result_to_error(result: rustls_result) -> rustls::Error {
use rustls::Error::*;
use rustls::OtherError;
use rustls_result::*;
match result {
CertEncodingBad => InvalidCertificate(CertificateError::BadEncoding),
Expand All @@ -257,7 +258,9 @@ pub(crate) fn cert_result_to_error(result: rustls_result) -> rustls::Error {
CertApplicationVerificationFailure => {
InvalidCertificate(CertificateError::ApplicationVerificationFailure)
}
CertOtherError => InvalidCertificate(CertificateError::Other(Arc::from(Box::from("")))),
CertOtherError => InvalidCertificate(CertificateError::Other(OtherError(Arc::from(
Box::from(""),
)))),
_ => rustls::Error::General("".into()),
}
}
Expand Down
6 changes: 6 additions & 0 deletions src/rustls.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,9 @@ typedef struct rustls_supported_ciphersuite rustls_supported_ciphersuite;
* done configuring settings, call `rustls_web_pki_client_cert_verifier_builder_build`
* to turn it into a `rustls_client_cert_verifier`. This object is not safe
* for concurrent mutation.
*
* See <https://docs.rs/rustls/latest/rustls/server/struct.ClientCertVerifierBuilder.html>
* for more information.
*/
typedef struct rustls_web_pki_client_cert_verifier_builder rustls_web_pki_client_cert_verifier_builder;

Expand All @@ -310,6 +313,9 @@ typedef struct rustls_web_pki_client_cert_verifier_builder rustls_web_pki_client
* done configuring settings, call `rustls_web_pki_server_cert_verifier_builder_build`
* to turn it into a `rustls_server_cert_verifier`. This object is not safe
* for concurrent mutation.
*
* See <https://docs.rs/rustls/latest/rustls/client/struct.ServerCertVerifierBuilder.html>
* for more information.
*/
typedef struct rustls_web_pki_server_cert_verifier_builder rustls_web_pki_server_cert_verifier_builder;

Expand Down
9 changes: 7 additions & 2 deletions src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ impl rustls_server_config_builder {
pub extern "C" fn rustls_server_config_builder_new() -> *mut rustls_server_config_builder {
ffi_panic_boundary! {
let builder = ServerConfigBuilder {
base: rustls::ServerConfig::builder().with_safe_defaults(),
base: rustls::ServerConfig::builder(),
verifier: WebPkiClientVerifier::no_client_auth(),
cert_resolver: None,
session_storage: None,
Expand Down Expand Up @@ -138,7 +138,12 @@ impl rustls_server_config_builder {
}
}

let result = rustls::ServerConfig::builder().with_cipher_suites(&cs_vec).with_safe_default_kx_groups().with_protocol_versions(&versions);
let provider = rustls::crypto::CryptoProvider{
cipher_suites: cs_vec,
..rustls::crypto::ring::default_provider()
};
let result = rustls::ServerConfig::builder_with_provider(provider.into())
.with_protocol_versions(&versions);
let base = match result {
Ok(new) => new,
Err(_) => return rustls_result::InvalidParameter,
Expand Down