chore: update rustls & tungstenite crates

omjadas · Sep 15, 2024 · 834c824 · 834c824
1 parent 43e9924
commit 834c824
Show file tree

Hide file tree

Showing 16 changed files with 233 additions and 101 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,28 +24,29 @@ futures = "0.3.11"
 http = "1.1.0"
 http-body-util = "0.1.0"
 hyper = "1.1.0"
-hyper-rustls = { version = "0.26.0", default-features = false, features = ["http1", "logging", "ring", "tls12", "webpki-tokio"], optional = true }
+hyper-rustls = { version = "0.27.0", default-features = false, features = ["http1", "logging", "tls12", "webpki-tokio"], optional = true }
 hyper-tls = { version = "0.6.0", optional = true }
-hyper-tungstenite = "0.13.0"
+hyper-tungstenite = "0.15.0"
 hyper-util = { version="0.1.3", features = ["client-legacy", "server", "http1"] }
 moka = { version = "0.12.0", features = ["future"], optional = true }
 openssl = { version = "0.10.46", optional = true }
 rand = { version = "0.8.0", optional = true }
 rcgen = { version = "0.13.0", features = ["x509-parser"], optional = true }
 thiserror = "1.0.30"
-time = { version = "0.3.20", optional = true }
+time = { version = "0.3.35", optional = true }
 tokio = { version = "1.24.2", features = ["macros", "rt"] }
 tokio-graceful = "0.1.6"
-tokio-rustls = "0.25.0"
-tokio-tungstenite = "0.21.0"
+tokio-native-tls = { version = "0.3.1", optional = true }
+tokio-rustls = { version = "0.26.0", features = ["logging", "tls12"] }
+tokio-tungstenite = "0.24.0"
 tokio-util = { version = "0.7.1", features = ["io"], optional = true }
 tracing = { version = "0.1.35", features = ["log"] }
 
 [dev-dependencies]
 async-http-proxy = { version = "1.2.5", features = ["runtime-tokio"] }
 criterion = { version = "0.5.0", features = ["async_tokio"] }
 reqwest = "0.12.0"
-rustls-native-certs = "0.7.0"
+rustls-native-certs = "0.8.0"
 rustls-pemfile = "2.0.0"
 tokio = { version = "1.24.2", features = ["full"] }
 tokio-native-tls = "0.3.1"
@@ -57,7 +58,7 @@ decoder = ["dep:async-compression", "dep:tokio-util", "tokio/io-util"]
 default = ["decoder", "rcgen-ca", "rustls-client"]
 full = ["decoder", "http2", "native-tls-client", "openssl-ca", "rcgen-ca", "rustls-client"]
 http2 = ["hyper-util/http2", "hyper-rustls?/http2"]
-native-tls-client = ["dep:hyper-tls", "tokio-tungstenite/native-tls"]
+native-tls-client = ["dep:hyper-tls", "dep:tokio-native-tls", "tokio-tungstenite/native-tls"]
 openssl-ca = ["dep:openssl", "dep:moka"]
 rcgen-ca = ["dep:rcgen", "dep:moka", "dep:time", "dep:rand"]
 rustls-client = ["dep:hyper-rustls", "tokio-tungstenite/rustls-tls-webpki-roots"]

diff --git a/benches/certificate_authorities.rs b/benches/certificate_authorities.rs
@@ -4,6 +4,7 @@ use hudsucker::{
     certificate_authority::{CertificateAuthority, OpensslAuthority, RcgenAuthority},
     openssl::{hash::MessageDigest, pkey::PKey, x509::X509},
     rcgen::{CertificateParams, KeyPair},
+    rustls::crypto::aws_lc_rs,
 };
 
 fn runtime() -> tokio::runtime::Runtime {
@@ -21,7 +22,7 @@ fn build_rcgen_ca(cache_size: u64) -> RcgenAuthority {
         .self_signed(&key_pair)
         .expect("Failed to sign CA certificate");
 
-    RcgenAuthority::new(key_pair, ca_cert, cache_size)
+    RcgenAuthority::new(key_pair, ca_cert, cache_size, aws_lc_rs::default_provider())
 }
 
 fn build_openssl_ca(cache_size: u64) -> OpensslAuthority {
@@ -30,7 +31,13 @@ fn build_openssl_ca(cache_size: u64) -> OpensslAuthority {
     let private_key = PKey::private_key_from_pem(private_key).expect("Failed to parse private key");
     let ca_cert = X509::from_pem(ca_cert).expect("Failed to parse CA certificate");
 
-    OpensslAuthority::new(private_key, ca_cert, MessageDigest::sha256(), cache_size)
+    OpensslAuthority::new(
+        private_key,
+        ca_cert,
+        MessageDigest::sha256(),
+        cache_size,
+        aws_lc_rs::default_provider(),
+    )
 }
 
 fn compare_cas(c: &mut Criterion) {

diff --git a/benches/proxy.rs b/benches/proxy.rs
@@ -8,6 +8,7 @@ use hudsucker::{
         server::conn::auto,
     },
     rcgen::{CertificateParams, KeyPair},
+    rustls::crypto::aws_lc_rs,
     Body, Proxy,
 };
 use reqwest::Certificate;
@@ -33,7 +34,7 @@ fn build_ca() -> RcgenAuthority {
         .self_signed(&key_pair)
         .expect("Failed to sign CA certificate");
 
-    RcgenAuthority::new(key_pair, ca_cert, 1000)
+    RcgenAuthority::new(key_pair, ca_cert, 1000, aws_lc_rs::default_provider())
 }
 
 async fn test_server(req: Request<Incoming>) -> Result<Response<Body>, Infallible> {
@@ -145,12 +146,13 @@ async fn start_proxy(
     let (tx, rx) = tokio::sync::oneshot::channel();
     let proxy = Proxy::builder()
         .with_listener(listener)
-        .with_client(native_tls_client())
         .with_ca(ca)
+        .with_client(native_tls_client())
         .with_graceful_shutdown(async {
             rx.await.unwrap_or_default();
         })
-        .build();
+        .build()
+        .expect("Failed to create proxy");
 
     tokio::spawn(proxy.start());
 

diff --git a/examples/log.rs b/examples/log.rs
@@ -2,6 +2,7 @@ use hudsucker::{
     certificate_authority::RcgenAuthority,
     hyper::{Request, Response},
     rcgen::{CertificateParams, KeyPair},
+    rustls::crypto::aws_lc_rs,
     tokio_tungstenite::tungstenite::Message,
     *,
 };
@@ -52,16 +53,17 @@ async fn main() {
         .self_signed(&key_pair)
         .expect("Failed to sign CA certificate");
 
-    let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000);
+    let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000, aws_lc_rs::default_provider());
 
     let proxy = Proxy::builder()
         .with_addr(SocketAddr::from(([127, 0, 0, 1], 3000)))
-        .with_rustls_client()
         .with_ca(ca)
+        .with_rustls_client(aws_lc_rs::default_provider())
         .with_http_handler(LogHandler)
         .with_websocket_handler(LogHandler)
         .with_graceful_shutdown(shutdown_signal())
-        .build();
+        .build()
+        .expect("Failed to create proxy");
 
     if let Err(e) = proxy.start().await {
         error!("{}", e);

diff --git a/examples/noop.rs b/examples/noop.rs
@@ -1,6 +1,7 @@
 use hudsucker::{
     certificate_authority::RcgenAuthority,
     rcgen::{CertificateParams, KeyPair},
+    rustls::crypto::aws_lc_rs,
     *,
 };
 use std::net::SocketAddr;
@@ -24,14 +25,15 @@ async fn main() {
         .self_signed(&key_pair)
         .expect("Failed to sign CA certificate");
 
-    let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000);
+    let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000, aws_lc_rs::default_provider());
 
     let proxy = Proxy::builder()
         .with_addr(SocketAddr::from(([127, 0, 0, 1], 3000)))
-        .with_rustls_client()
         .with_ca(ca)
+        .with_rustls_client(aws_lc_rs::default_provider())
         .with_graceful_shutdown(shutdown_signal())
-        .build();
+        .build()
+        .expect("Failed to create proxy");
 
     if let Err(e) = proxy.start().await {
         error!("{}", e);

diff --git a/examples/openssl.rs b/examples/openssl.rs
@@ -2,6 +2,7 @@ use hudsucker::{
     certificate_authority::OpensslAuthority,
     hyper::{Request, Response},
     openssl::{hash::MessageDigest, pkey::PKey, x509::X509},
+    rustls::crypto::aws_lc_rs,
     tokio_tungstenite::tungstenite::Message,
     *,
 };
@@ -50,15 +51,22 @@ async fn main() {
         PKey::private_key_from_pem(private_key_bytes).expect("Failed to parse private key");
     let ca_cert = X509::from_pem(ca_cert_bytes).expect("Failed to parse CA certificate");
 
-    let ca = OpensslAuthority::new(private_key, ca_cert, MessageDigest::sha256(), 1_000);
+    let ca = OpensslAuthority::new(
+        private_key,
+        ca_cert,
+        MessageDigest::sha256(),
+        1_000,
+        aws_lc_rs::default_provider(),
+    );
 
     let proxy = Proxy::builder()
         .with_addr(SocketAddr::from(([127, 0, 0, 1], 3000)))
-        .with_rustls_client()
         .with_ca(ca)
+        .with_rustls_client(aws_lc_rs::default_provider())
         .with_http_handler(LogHandler)
         .with_graceful_shutdown(shutdown_signal())
-        .build();
+        .build()
+        .expect("Failed to create proxy");
 
     if let Err(e) = proxy.start().await {
         error!("{}", e);

diff --git a/rustfmt.toml b/rustfmt.toml
@@ -1,2 +1,3 @@
+format_code_in_doc_comments = true
 imports_granularity = "Crate"
 newline_style = "Unix"
diff --git a/src/certificate_authority/openssl_authority.rs b/src/certificate_authority/openssl_authority.rs
@@ -15,6 +15,7 @@ use std::{
     time::{Duration, SystemTime},
 };
 use tokio_rustls::rustls::{
+    crypto::CryptoProvider,
     pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
     ServerConfig,
 };
@@ -32,14 +33,21 @@ use tracing::debug;
 /// use hudsucker::{
 ///     certificate_authority::OpensslAuthority,
 ///     openssl::{hash::MessageDigest, pkey::PKey, x509::X509},
+///     rustls::crypto::aws_lc_rs,
 /// };
 ///
 /// let private_key_bytes: &[u8] = include_bytes!("../../examples/ca/hudsucker.key");
 /// let ca_cert_bytes: &[u8] = include_bytes!("../../examples/ca/hudsucker.cer");
 /// let private_key = PKey::private_key_from_pem(private_key_bytes).unwrap();
 /// let ca_cert = X509::from_pem(ca_cert_bytes).unwrap();
 ///
-/// let ca = OpensslAuthority::new(private_key, ca_cert, MessageDigest::sha256(), 1_000);
+/// let ca = OpensslAuthority::new(
+///     private_key,
+///     ca_cert,
+///     MessageDigest::sha256(),
+///     1_000,
+///     aws_lc_rs::default_provider(),
+/// );
 /// ```
 #[cfg_attr(docsrs, doc(cfg(feature = "openssl-ca")))]
 pub struct OpensslAuthority {
@@ -48,11 +56,18 @@ pub struct OpensslAuthority {
     ca_cert: X509,
     hash: MessageDigest,
     cache: Cache<Authority, Arc<ServerConfig>>,
+    provider: Arc<CryptoProvider>,
 }
 
 impl OpensslAuthority {
     /// Creates a new openssl authority.
-    pub fn new(pkey: PKey<Private>, ca_cert: X509, hash: MessageDigest, cache_size: u64) -> Self {
+    pub fn new(
+        pkey: PKey<Private>,
+        ca_cert: X509,
+        hash: MessageDigest,
+        cache_size: u64,
+        provider: CryptoProvider,
+    ) -> Self {
         let private_key = PrivateKeyDer::from(PrivatePkcs8KeyDer::from(
             pkey.private_key_to_pkcs8()
                 .expect("Failed to encode private key"),
@@ -67,6 +82,7 @@ impl OpensslAuthority {
                 .max_capacity(cache_size)
                 .time_to_live(Duration::from_secs(CACHE_TTL))
                 .build(),
+            provider: Arc::new(provider),
         }
     }
 
@@ -120,7 +136,9 @@ impl CertificateAuthority for OpensslAuthority {
             .gen_cert(authority)
             .unwrap_or_else(|_| panic!("Failed to generate certificate for {}", authority))];
 
-        let mut server_cfg = ServerConfig::builder()
+        let mut server_cfg = ServerConfig::builder_with_provider(Arc::clone(&self.provider))
+            .with_safe_default_protocol_versions()
+            .expect("Failed to specify protocol versions")
             .with_no_client_auth()
             .with_single_cert(certs, self.private_key.clone_key())
             .expect("Failed to build ServerConfig");
@@ -144,6 +162,7 @@ impl CertificateAuthority for OpensslAuthority {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use tokio_rustls::rustls::crypto::aws_lc_rs;
 
     fn build_ca(cache_size: u64) -> OpensslAuthority {
         let private_key_bytes: &[u8] = include_bytes!("../../examples/ca/hudsucker.key");
@@ -152,7 +171,13 @@ mod tests {
             PKey::private_key_from_pem(private_key_bytes).expect("Failed to parse private key");
         let ca_cert = X509::from_pem(ca_cert_bytes).expect("Failed to parse CA certificate");
 
-        OpensslAuthority::new(private_key, ca_cert, MessageDigest::sha256(), cache_size)
+        OpensslAuthority::new(
+            private_key,
+            ca_cert,
+            MessageDigest::sha256(),
+            cache_size,
+            aws_lc_rs::default_provider(),
+        )
     }
 
     #[test]

diff --git a/src/certificate_authority/rcgen_authority.rs b/src/certificate_authority/rcgen_authority.rs
@@ -8,6 +8,7 @@ use rcgen::{
 use std::sync::Arc;
 use time::{Duration, OffsetDateTime};
 use tokio_rustls::rustls::{
+    crypto::CryptoProvider,
     pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
     ServerConfig,
 };
@@ -22,7 +23,7 @@ use tracing::debug;
 /// # Examples
 ///
 /// ```rust
-/// use hudsucker::{certificate_authority::RcgenAuthority, rustls};
+/// use hudsucker::{certificate_authority::RcgenAuthority, rustls::crypto::aws_lc_rs};
 /// use rcgen::{CertificateParams, KeyPair};
 ///
 /// let key_pair = include_str!("../../examples/ca/hudsucker.key");
@@ -33,19 +34,25 @@ use tracing::debug;
 ///     .self_signed(&key_pair)
 ///     .expect("Failed to sign CA certificate");
 ///
-/// let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000);
+/// let ca = RcgenAuthority::new(key_pair, ca_cert, 1_000, aws_lc_rs::default_provider());
 /// ```
 #[cfg_attr(docsrs, doc(cfg(feature = "rcgen-ca")))]
 pub struct RcgenAuthority {
     key_pair: KeyPair,
     ca_cert: Certificate,
     private_key: PrivateKeyDer<'static>,
     cache: Cache<Authority, Arc<ServerConfig>>,
+    provider: Arc<CryptoProvider>,
 }
 
 impl RcgenAuthority {
     /// Creates a new rcgen authority.
-    pub fn new(key_pair: KeyPair, ca_cert: Certificate, cache_size: u64) -> Self {
+    pub fn new(
+        key_pair: KeyPair,
+        ca_cert: Certificate,
+        cache_size: u64,
+        provider: CryptoProvider,
+    ) -> Self {
         let private_key = PrivateKeyDer::from(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));
 
         Self {
@@ -56,6 +63,7 @@ impl RcgenAuthority {
                 .max_capacity(cache_size)
                 .time_to_live(std::time::Duration::from_secs(CACHE_TTL))
                 .build(),
+            provider: Arc::new(provider),
         }
     }
 
@@ -92,7 +100,9 @@ impl CertificateAuthority for RcgenAuthority {
 
         let certs = vec![self.gen_cert(authority)];
 
-        let mut server_cfg = ServerConfig::builder()
+        let mut server_cfg = ServerConfig::builder_with_provider(Arc::clone(&self.provider))
+            .with_safe_default_protocol_versions()
+            .expect("Failed to specify protocol versions")
             .with_no_client_auth()
             .with_single_cert(certs, self.private_key.clone_key())
             .expect("Failed to build ServerConfig");
@@ -116,6 +126,7 @@ impl CertificateAuthority for RcgenAuthority {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use tokio_rustls::rustls::crypto::aws_lc_rs;
 
     fn build_ca(cache_size: u64) -> RcgenAuthority {
         let key_pair = include_str!("../../examples/ca/hudsucker.key");
@@ -126,7 +137,7 @@ mod tests {
             .self_signed(&key_pair)
             .expect("Failed to sign CA certificate");
 
-        RcgenAuthority::new(key_pair, ca_cert, cache_size)
+        RcgenAuthority::new(key_pair, ca_cert, cache_size, aws_lc_rs::default_provider())
     }
 
     #[test]