diff --git a/Cargo.lock b/Cargo.lock index 7e6477dc99b..a054df9fb35 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1739,6 +1739,17 @@ dependencies = [ "rustls 0.21.11", ] +[[package]] +name = "futures-rustls" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8f2f12607f92c69b12ed746fabf9ca4f5c482cba46679c1a75b874ed7c26adb" +dependencies = [ + "futures-io", + "rustls 0.23.5", + "rustls-pki-types", +] + [[package]] name = "futures-sink" version = "0.3.30" @@ -3387,7 +3398,7 @@ name = "libp2p-tls" version = "0.3.0" dependencies = [ "futures", - "futures-rustls", + "futures-rustls 0.24.0", "hex", "hex-literal", "libp2p-core", @@ -3508,7 +3519,7 @@ dependencies = [ "async-std", "either", "futures", - "futures-rustls", + "futures-rustls 0.26.0", "libp2p-core", "libp2p-dns", "libp2p-identity", @@ -5169,6 +5180,20 @@ dependencies = [ "zeroize", ] +[[package]] +name = "rustls" +version = "0.23.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "afabcee0551bd1aa3e18e5adbf2c0544722014b899adb31bd186ec638d3da97e" +dependencies = [ + "once_cell", + "ring 0.17.8", + "rustls-pki-types", + "rustls-webpki 0.102.2", + "subtle", + "zeroize", +] + [[package]] name = "rustls-pemfile" version = "2.1.2" diff --git a/transports/websocket/Cargo.toml b/transports/websocket/Cargo.toml index cc10a0ab727..9156da7c83b 100644 --- a/transports/websocket/Cargo.toml +++ b/transports/websocket/Cargo.toml @@ -11,7 +11,7 @@ keywords = ["peer-to-peer", "libp2p", "networking"] categories = ["network-programming", "asynchronous"] [dependencies] -futures-rustls = "0.24.0" +futures-rustls = { version = "0.26.0", default-features = false, features = ["ring"] } either = "1.11.0" futures = { workspace = true } libp2p-core = { workspace = true } diff --git a/transports/websocket/src/framed.rs b/transports/websocket/src/framed.rs index ab7bfda43db..26634df9830 100644 --- a/transports/websocket/src/framed.rs +++ b/transports/websocket/src/framed.rs @@ -461,7 +461,7 @@ where struct WsAddress { host_port: String, path: String, - dns_name: Option, + dns_name: Option>, use_tls: bool, tcp_addr: Multiaddr, } diff --git a/transports/websocket/src/tls.rs b/transports/websocket/src/tls.rs index 24b0df97db3..77090e21675 100644 --- a/transports/websocket/src/tls.rs +++ b/transports/websocket/src/tls.rs @@ -35,24 +35,32 @@ impl fmt::Debug for Config { } /// Private key, DER-encoded ASN.1 in either PKCS#8 or PKCS#1 format. -#[derive(Clone)] -pub struct PrivateKey(rustls::PrivateKey); +pub struct PrivateKey(rustls::pki_types::PrivateKeyDer<'static>); impl PrivateKey { /// Assert the given bytes are DER-encoded ASN.1 in either PKCS#8 or PKCS#1 format. pub fn new(bytes: Vec) -> Self { - PrivateKey(rustls::PrivateKey(bytes)) + PrivateKey( + rustls::pki_types::PrivateKeyDer::try_from(bytes) + .expect("unknown or invalid key format"), + ) + } +} + +impl Clone for PrivateKey { + fn clone(&self) -> Self { + Self(self.0.clone_key()) } } /// Certificate, DER-encoded X.509 format. #[derive(Debug, Clone)] -pub struct Certificate(rustls::Certificate); +pub struct Certificate(rustls::pki_types::CertificateDer<'static>); impl Certificate { /// Assert the given bytes are in DER-encoded X.509 format. pub fn new(bytes: Vec) -> Self { - Certificate(rustls::Certificate(bytes)) + Certificate(rustls::pki_types::CertificateDer::from(bytes)) } } @@ -69,8 +77,10 @@ impl Config { /// Create a client-only configuration. pub fn client() -> Self { - let client = rustls::ClientConfig::builder() - .with_safe_defaults() + let provider = rustls::crypto::ring::default_provider(); + let client = rustls::ClientConfig::builder_with_provider(provider.into()) + .with_safe_default_protocol_versions() + .unwrap() .with_root_certificates(client_root_store()) .with_no_client_auth(); Config { @@ -91,12 +101,12 @@ impl Config { /// Setup the rustls client configuration. fn client_root_store() -> rustls::RootCertStore { let mut client_root_store = rustls::RootCertStore::empty(); - client_root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { - rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) + client_root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { + rustls::pki_types::TrustAnchor { + subject: ta.subject.into(), + subject_public_key_info: ta.spki.into(), + name_constraints: ta.name_constraints.map(|v| v.into()), + } })); client_root_store } @@ -114,8 +124,10 @@ impl Builder { I: IntoIterator, { let certs = certs.into_iter().map(|c| c.0).collect(); - let server = rustls::ServerConfig::builder() - .with_safe_defaults() + let provider = rustls::crypto::ring::default_provider(); + let server = rustls::ServerConfig::builder_with_provider(provider.into()) + .with_safe_default_protocol_versions() + .unwrap() .with_no_client_auth() .with_single_cert(certs, key.0) .map_err(|e| Error::Tls(Box::new(e)))?; @@ -126,15 +138,17 @@ impl Builder { /// Add an additional trust anchor. pub fn add_trust(&mut self, cert: &Certificate) -> Result<&mut Self, Error> { self.client_root_store - .add(&cert.0) + .add(cert.0.to_owned()) .map_err(|e| Error::Tls(Box::new(e)))?; Ok(self) } /// Finish configuration. pub fn finish(self) -> Config { - let client = rustls::ClientConfig::builder() - .with_safe_defaults() + let provider = rustls::crypto::ring::default_provider(); + let client = rustls::ClientConfig::builder_with_provider(provider.into()) + .with_safe_default_protocol_versions() + .unwrap() .with_root_certificates(self.client_root_store) .with_no_client_auth(); @@ -145,8 +159,9 @@ impl Builder { } } -pub(crate) fn dns_name_ref(name: &str) -> Result { - rustls::ServerName::try_from(name).map_err(|_| Error::InvalidDnsName(name.into())) +pub(crate) fn dns_name_ref(name: &str) -> Result, Error> { + rustls::pki_types::ServerName::try_from(String::from(name)) + .map_err(|_| Error::InvalidDnsName(name.into())) } // Error //////////////////////////////////////////////////////////////////////////////////////////