From 58ad0a4649d7ad1cd1f102ed1e81c5fd2753d2f4 Mon Sep 17 00:00:00 2001 From: Andrew Walbran Date: Mon, 29 Jan 2024 11:48:03 +0000 Subject: [PATCH] chore(rumqttc): Update rustls and friends. --- Cargo.lock | 170 ++++++++++++++++++++++------------------ rumqttc/CHANGELOG.md | 4 + rumqttc/Cargo.toml | 16 ++-- rumqttc/examples/tls.rs | 7 +- rumqttc/src/lib.rs | 6 +- rumqttc/src/tls.rs | 47 +++++------ rumqttc/src/v5/mod.rs | 1 - 7 files changed, 129 insertions(+), 122 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9522b1b68..bb1c9d545 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -177,15 +177,30 @@ name = "async-tungstenite" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a1e9efbe14612da0a19fb983059a0b621e9cf6225d7018ecab4f9988215540dc" +dependencies = [ + "futures-io", + "futures-util", + "log", + "pin-project-lite", + "tokio", + "tungstenite 0.20.1", +] + +[[package]] +name = "async-tungstenite" +version = "0.24.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3609af4bbf701ddaf1f6bb4e6257dff4ff8932327d0e685d3f653724c258b1ac" dependencies = [ "futures-io", "futures-util", "log", "pin-project-lite", "rustls-native-certs", + "rustls-pki-types", "tokio", - "tokio-rustls 0.24.1", - "tungstenite", + "tokio-rustls", + "tungstenite 0.21.0", ] [[package]] @@ -217,7 +232,7 @@ dependencies = [ "bitflags 1.3.2", "bytes", "futures-util", - "http", + "http 0.2.11", "http-body", "hyper", "itoa", @@ -247,7 +262,7 @@ dependencies = [ "async-trait", "bytes", "futures-util", - "http", + "http 0.2.11", "http-body", "mime", "rustversion", @@ -861,6 +876,17 @@ dependencies = [ "itoa", ] +[[package]] +name = "http" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b32afd38673a8016f7c9ae69e5af41a58f81b1d31689040f2f1959594ce194ea" +dependencies = [ + "bytes", + "fnv", + "itoa", +] + [[package]] name = "http-body" version = "0.4.6" @@ -868,7 +894,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2" dependencies = [ "bytes", - "http", + "http 0.2.11", "pin-project-lite", ] @@ -900,7 +926,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "http", + "http 0.2.11", "http-body", "httparse", "httpdate", @@ -1822,35 +1848,35 @@ name = "rumqttc" version = "0.23.0" dependencies = [ "async-http-proxy", - "async-tungstenite", + "async-tungstenite 0.24.0", "bincode", "bytes", "color-backtrace", "flume", "futures-util", - "http", + "http 1.0.0", "log", "matches", "native-tls", "pretty_assertions", "pretty_env_logger", "rustls-native-certs", - "rustls-pemfile 1.0.4", - "rustls-webpki 0.101.7", + "rustls-pemfile", + "rustls-webpki", "serde", "thiserror", "tokio", "tokio-native-tls", - "tokio-rustls 0.24.1", + "tokio-rustls", "url", - "ws_stream_tungstenite", + "ws_stream_tungstenite 0.12.0", ] [[package]] name = "rumqttd" version = "0.19.0" dependencies = [ - "async-tungstenite", + "async-tungstenite 0.23.0", "axum", "bytes", "clap", @@ -1863,19 +1889,19 @@ dependencies = [ "pretty_assertions", "pretty_env_logger", "rand", - "rustls-pemfile 2.0.0", - "rustls-webpki 0.102.2", + "rustls-pemfile", + "rustls-webpki", "serde", "serde_json", "slab", "thiserror", "tokio", "tokio-native-tls", - "tokio-rustls 0.25.0", + "tokio-rustls", "tokio-util", "tracing", "tracing-subscriber", - "ws_stream_tungstenite", + "ws_stream_tungstenite 0.11.0", "x509-parser", ] @@ -1926,18 +1952,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "rustls" -version = "0.21.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" -dependencies = [ - "log", - "ring", - "rustls-webpki 0.101.7", - "sct", -] - [[package]] name = "rustls" version = "0.22.2" @@ -1947,32 +1961,24 @@ dependencies = [ "log", "ring", "rustls-pki-types", - "rustls-webpki 0.102.2", + "rustls-webpki", "subtle", "zeroize", ] [[package]] name = "rustls-native-certs" -version = "0.6.3" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" +checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792" dependencies = [ "openssl-probe", - "rustls-pemfile 1.0.4", + "rustls-pemfile", + "rustls-pki-types", "schannel", "security-framework", ] -[[package]] -name = "rustls-pemfile" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" -dependencies = [ - "base64 0.21.5", -] - [[package]] name = "rustls-pemfile" version = "2.0.0" @@ -1989,16 +1995,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0a716eb65e3158e90e17cd93d855216e27bde02745ab842f2cab4a39dba1bacf" -[[package]] -name = "rustls-webpki" -version = "0.101.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "rustls-webpki" version = "0.102.2" @@ -2037,16 +2033,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "sct" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "security-framework" version = "2.9.2" @@ -2453,23 +2439,13 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-rustls" -version = "0.24.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" -dependencies = [ - "rustls 0.21.10", - "tokio", -] - [[package]] name = "tokio-rustls" version = "0.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" dependencies = [ - "rustls 0.22.2", + "rustls", "rustls-pki-types", "tokio", ] @@ -2602,11 +2578,31 @@ dependencies = [ "byteorder", "bytes", "data-encoding", - "http", + "http 0.2.11", + "httparse", + "log", + "rand", + "sha1", + "thiserror", + "url", + "utf-8", +] + +[[package]] +name = "tungstenite" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ef1a641ea34f399a848dea702823bbecfb4c486f911735368f1f137cb8257e1" +dependencies = [ + "byteorder", + "bytes", + "data-encoding", + "http 1.0.0", "httparse", "log", "rand", - "rustls 0.21.10", + "rustls", + "rustls-pki-types", "sha1", "thiserror", "url", @@ -2965,7 +2961,27 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e283cc794a890f5bdc01e358ad7c34535025f79ba83c1b5c7e01e5d6c60b336d" dependencies = [ - "async-tungstenite", + "async-tungstenite 0.23.0", + "async_io_stream", + "bitflags 2.4.1", + "futures-core", + "futures-io", + "futures-sink", + "futures-util", + "pharos", + "rustc_version", + "tokio", + "tracing", + "tungstenite 0.20.1", +] + +[[package]] +name = "ws_stream_tungstenite" +version = "0.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2792b148f4aabd04af007bf0fc6f89a8d69980d083c296dfbd7b0d99bbdcfeb8" +dependencies = [ + "async-tungstenite 0.24.0", "async_io_stream", "bitflags 2.4.1", "futures-core", @@ -2976,7 +2992,7 @@ dependencies = [ "rustc_version", "tokio", "tracing", - "tungstenite", + "tungstenite 0.21.0", ] [[package]] diff --git a/rumqttc/CHANGELOG.md b/rumqttc/CHANGELOG.md index b9c6f73b8..c6fd3a88f 100644 --- a/rumqttc/CHANGELOG.md +++ b/rumqttc/CHANGELOG.md @@ -25,6 +25,10 @@ To update your code simply remove `Key::ECC()` or `Key::RSA()` from the initiali - Make v5 `RetainForwardRule` public, in order to allow setting it when constructing `Filter` values. - Use `VecDeque` instead of `IntoIter` to fix unintentional drop of pending requests on `EventLoop::clean` (#780) - `StateError::IncommingPacketTooLarge` is now `StateError::IncomingPacketTooLarge`. +- Update `tokio-rustls` to `0.25.0`, `rustls-native-certs` to `0.7.0`, `rustls-webpki` to `0.102.1`, + `rusttls-pemfile` to `2.0.0`, `async-tungstenite` to `0.24.0`, `ws_stream_tungstenite` to `0.12.0` + and `http` to `1.0.0`. This is a breaking change as types from some of these crates are part of + the public API. ### Deprecated diff --git a/rumqttc/Cargo.toml b/rumqttc/Cargo.toml index 483f9de7b..834b1984c 100644 --- a/rumqttc/Cargo.toml +++ b/rumqttc/Cargo.toml @@ -27,19 +27,19 @@ futures-util = { version = "0.3", default_features = false, features = ["std"] } tokio = { version = "1.33", features = ["rt", "macros", "io-util", "net", "time"] } bytes = "1.5" log = "0.4" -flume = { version = "0.11", default-features = false, features = ["async"]} +flume = { version = "0.11", default-features = false, features = ["async"] } thiserror = "1" # Optional # rustls -tokio-rustls = { version = "0.24", optional = true } -rustls-webpki = { version = "0.101.6", optional = true } -rustls-pemfile = { version = "1", optional = true } -rustls-native-certs = { version = "0.6", optional = true } +tokio-rustls = { version = "0.25.0", optional = true } +rustls-webpki = { version = "0.102.1", optional = true } +rustls-pemfile = { version = "2.0.0", optional = true } +rustls-native-certs = { version = "0.7.0", optional = true } # websockets -async-tungstenite = { version = "0.23", default-features = false, features = ["tokio-rustls-native-certs"], optional = true } -ws_stream_tungstenite = { version= "0.11", default-features = false, features = ["tokio_io"], optional = true } -http = { version = "0.2", optional = true } +async-tungstenite = { version = "0.24.0", default-features = false, features = ["tokio-rustls-native-certs"], optional = true } +ws_stream_tungstenite = { version= "0.12.0", default-features = false, features = ["tokio_io"], optional = true } +http = { version = "1.0.0", optional = true } # native-tls tokio-native-tls = { version = "0.3.1", optional = true } native-tls = { version = "0.2.11", optional = true } diff --git a/rumqttc/examples/tls.rs b/rumqttc/examples/tls.rs index 1f57b829e..dc08636f1 100644 --- a/rumqttc/examples/tls.rs +++ b/rumqttc/examples/tls.rs @@ -15,12 +15,11 @@ async fn main() -> Result<(), Box> { // Use rustls-native-certs to load root certificates from the operating system. let mut root_cert_store = tokio_rustls::rustls::RootCertStore::empty(); - for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { - root_cert_store.add(&tokio_rustls::rustls::Certificate(cert.0))?; - } + root_cert_store.add_parsable_certificates( + rustls_native_certs::load_native_certs().expect("could not load platform certs"), + ); let client_config = ClientConfig::builder() - .with_safe_defaults() .with_root_certificates(root_cert_store) .with_no_client_auth(); diff --git a/rumqttc/src/lib.rs b/rumqttc/src/lib.rs index ce52b452a..43dbb3bed 100644 --- a/rumqttc/src/lib.rs +++ b/rumqttc/src/lib.rs @@ -148,7 +148,7 @@ pub use tls::Error as TlsError; #[cfg(feature = "use-rustls")] pub use tokio_rustls; #[cfg(feature = "use-rustls")] -use tokio_rustls::rustls::{Certificate, ClientConfig, RootCertStore}; +use tokio_rustls::rustls::{ClientConfig, RootCertStore}; #[cfg(feature = "proxy")] pub use proxy::{Proxy, ProxyAuth, ProxyType}; @@ -366,10 +366,9 @@ impl Default for TlsConfiguration { fn default() -> Self { let mut root_cert_store = RootCertStore::empty(); for cert in load_native_certs().expect("could not load platform certs") { - root_cert_store.add(&Certificate(cert.0)).unwrap(); + root_cert_store.add(cert).unwrap(); } let tls_config = ClientConfig::builder() - .with_safe_defaults() .with_root_certificates(root_cert_store) .with_no_client_auth(); @@ -536,7 +535,6 @@ impl MqttOptions { /// # use tokio_rustls::rustls::ClientConfig; /// # let root_cert_store = rustls::RootCertStore::empty(); /// # let client_config = ClientConfig::builder() - /// # .with_safe_defaults() /// # .with_root_certificates(root_cert_store) /// # .with_no_client_auth(); /// let mut options = MqttOptions::parse_url("mqtts://example.com?client_id=123").unwrap(); diff --git a/rumqttc/src/tls.rs b/rumqttc/src/tls.rs index 88fd103f9..c8e775712 100644 --- a/rumqttc/src/tls.rs +++ b/rumqttc/src/tls.rs @@ -1,12 +1,10 @@ #[cfg(feature = "use-rustls")] use rustls_pemfile::Item; #[cfg(feature = "use-rustls")] -use tokio_rustls::rustls; -#[cfg(feature = "use-rustls")] -use tokio_rustls::rustls::client::InvalidDnsNameError; -#[cfg(feature = "use-rustls")] use tokio_rustls::rustls::{ - Certificate, ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerName, + self, + pki_types::{InvalidDnsNameError, ServerName}, + ClientConfig, RootCertStore, }; #[cfg(feature = "use-rustls")] use tokio_rustls::TlsConnector as RustlsConnector; @@ -77,34 +75,22 @@ pub async fn rustls_connector(tls_config: &TlsConfiguration) -> Result { // Add ca to root store if the connection is TLS let mut root_cert_store = RootCertStore::empty(); - let certs = rustls_pemfile::certs(&mut BufReader::new(Cursor::new(ca)))?; - - let trust_anchors = certs.iter().map_while(|cert| { - if let Ok(ta) = webpki::TrustAnchor::try_from_cert_der(&cert[..]) { - Some(OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - )) - } else { - None - } - }); + let certs = rustls_pemfile::certs(&mut BufReader::new(Cursor::new(ca))) + .collect::, _>>()?; - root_cert_store.add_trust_anchors(trust_anchors); + root_cert_store.add_parsable_certificates(certs); if root_cert_store.is_empty() { return Err(Error::NoValidCertInChain); } - let config = ClientConfig::builder() - .with_safe_defaults() - .with_root_certificates(root_cert_store); + let config = ClientConfig::builder().with_root_certificates(root_cert_store); // Add der encoded client cert and key let mut config = if let Some(client) = client_auth.as_ref() { let certs = - rustls_pemfile::certs(&mut BufReader::new(Cursor::new(client.0.clone())))?; + rustls_pemfile::certs(&mut BufReader::new(Cursor::new(client.0.clone()))) + .collect::, _>>()?; if certs.is_empty() { return Err(Error::NoValidClientCertInChain); } @@ -116,16 +102,21 @@ pub async fn rustls_connector(tls_config: &TlsConfiguration) -> Result { - break key; + Some(Item::Sec1Key(key)) => { + break key.into(); + } + Some(Item::Pkcs1Key(key)) => { + break key.into(); + } + Some(Item::Pkcs8Key(key)) => { + break key.into(); } None => return Err(Error::NoValidKeyInChain), _ => {} } }; - let certs = certs.into_iter().map(Certificate).collect(); - config.with_client_auth_cert(certs, PrivateKey(key))? + config.with_client_auth_cert(certs, key)? } else { config.with_no_client_auth() }; @@ -181,7 +172,7 @@ pub async fn tls_connect( #[cfg(feature = "use-rustls")] TlsConfiguration::Simple { .. } | TlsConfiguration::Rustls(_) => { let connector = rustls_connector(tls_config).await?; - let domain = ServerName::try_from(addr)?; + let domain = ServerName::try_from(addr)?.to_owned(); Box::new(connector.connect(domain, tcp).await?) } #[cfg(feature = "use-native-tls")] diff --git a/rumqttc/src/v5/mod.rs b/rumqttc/src/v5/mod.rs index 04a50a4c2..663cfd278 100644 --- a/rumqttc/src/v5/mod.rs +++ b/rumqttc/src/v5/mod.rs @@ -163,7 +163,6 @@ impl MqttOptions { /// # use tokio_rustls::rustls::ClientConfig; /// # let root_cert_store = rustls::RootCertStore::empty(); /// # let client_config = ClientConfig::builder() - /// # .with_safe_defaults() /// # .with_root_certificates(root_cert_store) /// # .with_no_client_auth(); /// let mut options = MqttOptions::parse_url("mqtts://example.com?client_id=123").unwrap();