Merge branch 'connection-overhaul' into develop

Cargo.toml

@@ -38,28 +38,34 @@ anyhow = "1.0.86"
 assert_matches = "1.5"
 async-trait = "0.1.73"
 btdht = { git = "https://github.com/equalitie/btdht.git", rev = "e7ddf5607b20f0b82cbc3ea6259425c00bd8d16b" }
-bytes = "1.5.0"
+bytes = "1.7.1"
 camino = "1.1.6"
 chrono = { version = "0.4.31", default-features = false, features = ["clock"] }
 clap = { version = "4.4.6", features = ["derive"] }
 futures-util = { version = "0.3.30", default-features = false }
+hex_fmt = "0.3.0"
 metrics = "0.22.0"
 metrics-exporter-prometheus = { version = "0.13.0", default-features = false }
 metrics-util = { version = "0.16.0", default-features = false }
 num_enum = { version = "0.7.0", default-features = false }
 once_cell = "1.18.0"
+pin-project-lite = "0.2.13"
+proptest = "1.5"
 rand = { package = "ouisync-rand", path = "rand" }
-rcgen = { version = "0.11.3", default-features = false }
+rcgen = "0.13"
 rmp-serde = "1.1.0"
-rustls = { version = "0.21.0", default-features = false }
+rustls = { version = "0.23.5", default-features = false }
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_bytes = "0.11.8"
 serde_json = "1.0.94"
+similar-asserts = "1.5.0"
+slab = "0.4.9"
 sqlx = { version = "0.7.4", default-features = false, features = ["runtime-tokio", "sqlite"] }
 tempfile = "3.2"
+test-strategy = "0.4.0"
 thiserror = "1.0.49"
 tokio = { version = "1.38.0", default-features = false }
-tokio-rustls = "0.24.1"
+tokio-rustls = { version = "0.26", default-features = false }
 tokio-stream = { version = "0.1.15", default-features = false }
 tokio-util = "0.7.11"
 tracing = { version = "0.1.38" }

bridge/Cargo.toml

@@ -29,11 +29,11 @@ serde_json = { workspace = true }
 state_monitor = { path = "../state_monitor" }
 thiserror = { workspace = true }
 tokio = { workspace = true }
-tokio-tungstenite = { version = "0.20.0", features = ["rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.23.1", features = ["rustls-tls-webpki-roots"] }
 tokio-rustls = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter", "json"] }
-webpki-roots = "0.22.6"
+webpki-roots = "0.26.5"
 
 [target.'cfg(target_os = "android")'.dependencies]
 libc = "0.2.147"

bridge/src/transport/remote.rs

@@ -21,7 +21,11 @@ use tokio::{
     task::JoinSet,
 };
 use tokio_rustls::{
-    rustls::{self, ConnectionCommon},
+    rustls::{
+        self,
+        pki_types::{CertificateDer, PrivateKeyDer},
+        ConnectionCommon,
+    },
     TlsAcceptor,
 };
 use tokio_tungstenite::{
@@ -32,11 +36,10 @@ use tracing::Instrument;
 
 /// Shared config for `RemoteServer`
 pub fn make_server_config(
-    cert_chain: Vec<rustls::Certificate>,
-    key: rustls::PrivateKey,
+    cert_chain: Vec<CertificateDer<'static>>,
+    key: PrivateKeyDer<'static>,
 ) -> io::Result<Arc<rustls::ServerConfig>> {
     let config = rustls::ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
         .with_single_cert(cert_chain, key)
         .map_err(|error| io::Error::new(io::ErrorKind::InvalidInput, error))?;
@@ -46,28 +49,25 @@ pub fn make_server_config(
 
 /// Shared config for `RemoteClient`
 pub fn make_client_config(
-    additional_root_certs: &[rustls::Certificate],
+    additional_root_certs: &[CertificateDer<'_>],
 ) -> io::Result<Arc<rustls::ClientConfig>> {
     let mut root_cert_store = rustls::RootCertStore::empty();
 
     // Add default root certificates
-    root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
-        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    root_cert_store.extend(
+        webpki_roots::TLS_SERVER_ROOTS
+            .iter()
+            .map(|ta| ta.to_owned()),
+    );
 
     // Add custom root certificates (if any)
     for cert in additional_root_certs {
         root_cert_store
-            .add(cert)
+            .add(cert.clone())
             .map_err(|error| io::Error::new(io::ErrorKind::InvalidData, error))?;
     }
 
     let config = rustls::ClientConfig::builder()
-        .with_safe_defaults()
         .with_root_certificates(root_cert_store)
         .with_no_client_auth();
 
@@ -289,6 +289,7 @@ mod tests {
         sync::atomic::{AtomicUsize, Ordering},
     };
     use tokio::task;
+    use tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer;
 
     #[tokio::test]
     async fn basic() {
@@ -350,10 +351,10 @@ mod tests {
 
     fn make_configs() -> (Arc<rustls::ServerConfig>, Arc<rustls::ClientConfig>) {
         let gen = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
-        let cert = rustls::Certificate(gen.serialize_der().unwrap());
-        let key = rustls::PrivateKey(gen.serialize_private_key_der());
+        let cert = CertificateDer::from(gen.cert);
+        let key = PrivatePkcs8KeyDer::from(gen.key_pair.serialize_der());
 
-        let server_config = make_server_config(vec![cert.clone()], key).unwrap();
+        let server_config = make_server_config(vec![cert.clone()], key.into()).unwrap();
         let client_config = make_client_config(&[cert]).unwrap();
 
         (server_config, client_config)

bridge/src/transport/tls.rs

@@ -2,10 +2,10 @@
 
 use std::{io, path::Path};
 use tokio::fs;
-use tokio_rustls::rustls::{Certificate, PrivateKey};
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 
 /// Loads all certificates in the given directory (non-recursively).
-pub async fn load_certificates_from_dir(dir: &Path) -> io::Result<Vec<Certificate>> {
+pub async fn load_certificates_from_dir(dir: &Path) -> io::Result<Vec<CertificateDer<'static>>> {
     let mut read_dir = match fs::read_dir(dir).await {
         Ok(read_dir) => read_dir,
         Err(error) if error.kind() == io::ErrorKind::NotFound => return Ok(Vec::new()),
@@ -33,17 +33,22 @@ pub async fn load_certificates_from_dir(dir: &Path) -> io::Result<Vec<Certificat
 }
 
 /// Loads certificates from the given file.
-pub async fn load_certificates_from_file(path: impl AsRef<Path>) -> io::Result<Vec<Certificate>> {
+pub async fn load_certificates_from_file(
+    path: impl AsRef<Path>,
+) -> io::Result<Vec<CertificateDer<'static>>> {
     load_pems(path.as_ref(), "CERTIFICATE")
         .await
-        .map(|pems| pems.map(Certificate).collect())
+        .map(|pems| pems.map(|content| content.into()).collect())
 }
 
 /// Loads private keys from the given file.
-pub async fn load_keys_from_file(path: impl AsRef<Path>) -> io::Result<Vec<PrivateKey>> {
-    load_pems(path.as_ref(), "PRIVATE KEY")
-        .await
-        .map(|pems| pems.map(PrivateKey).collect())
+pub async fn load_keys_from_file(
+    path: impl AsRef<Path>,
+) -> io::Result<Vec<PrivateKeyDer<'static>>> {
+    load_pems(path.as_ref(), "PRIVATE KEY").await.map(|pems| {
+        pems.map(|content| PrivatePkcs8KeyDer::from(content).into())
+            .collect()
+    })
 }
 
 async fn load_pems<'a>(

cli/Cargo.toml

@@ -22,8 +22,7 @@ chrono = { workspace = true }
 clap = { workspace = true }
 dirs = "4.0.0"
 futures-util = { workspace = true }
-hyper = { version = "0.14.27", features = ["server", "http1", "http2"] }
-hyper-rustls = { version = "0.24.1", default-features = false, features = ["acceptor"] }
+hyper = { version = "1.4.1", features = ["server", "http1"] }
 interprocess = { version = "1.2.1", features = ["tokio_support"] }
 maxminddb = "0.23.0"
 metrics = { workspace = true }
@@ -32,12 +31,12 @@ ouisync-bridge = { path = "../bridge" }
 ouisync-lib = { package = "ouisync", path = "../lib" }
 ouisync-vfs = { path = "../vfs" }
 rand = { workspace = true }
-rustls = { workspace = true }
 scoped_task = { path = "../scoped_task" }
 serde = { workspace = true }
 state_monitor = { path = "../state_monitor" }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["signal", "io-std"] }
+tokio-rustls = { workspace = true }
 tokio-stream = { workspace = true }
 tokio-util = { workspace = true, features = ["codec", "compat"] }
 tracing = { workspace = true }

cli/src/handler/remote.rs

@@ -205,11 +205,14 @@ mod tests {
         make_client_config, make_server_config, RemoteClient, RemoteServer,
     };
     use ouisync_lib::{crypto::sign::Keypair, AccessMode, WriteSecrets};
-    use rustls::{Certificate, ClientConfig, PrivateKey};
     use state_monitor::StateMonitor;
     use std::net::Ipv4Addr;
     use tempfile::TempDir;
     use tokio::task;
+    use tokio_rustls::rustls::{
+        pki_types::{CertificateDer, PrivatePkcs8KeyDer},
+        ClientConfig,
+    };
 
     #[test]
     fn insert_separators_test() {
@@ -467,11 +470,11 @@ mod tests {
             mount_dir: temp_dir.path().join("mount"),
         };
 
-        let certs = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-        let cert = Certificate(certs.serialize_der().unwrap());
-        let private_key = PrivateKey(certs.serialize_private_key_der());
+        let gen = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
+        let cert = CertificateDer::from(gen.cert);
+        let private_key = PrivatePkcs8KeyDer::from(gen.key_pair.serialize_der());
 
-        let server_config = make_server_config(vec![cert.clone()], private_key).unwrap();
+        let server_config = make_server_config(vec![cert.clone()], private_key.into()).unwrap();
         let client_config = make_client_config(&[cert]).unwrap();
 
         let state = State::init(&dirs, StateMonitor::make_root()).await.unwrap();