Merge #62: Upgrade rustls and webpki version

68d2f23 Upgrade rustls and webpki version (Thomas Eizinger)

Pull request description:

ACKs for top commit:
  afilini:
    ACK 68d2f23

Tree-SHA512: 3578954d6629470742fec326525fb34377380c429ff51d5f15e128045161fc6fba4852a22089c2fa9e6bfa7c35ffbaf06eadb0f457fbcb414d15962b9283cd64

Author: afilini

Cargo.toml

@@ -23,11 +23,11 @@ serde = { version = "^1.0", features = ["derive"] }
 serde_json = { version = "^1.0" }
 
 # Optional dependencies
-socks = { version = "^0.3", optional = true }
-openssl = { version = "^0.10", optional = true }
-rustls = { version = "0.16.0", optional = true, features = ["dangerous_configuration"] }
-webpki = { version = "0.21.0", optional = true }
-webpki-roots = { version = "^0.19", optional = true }
+socks = { version = "0.3", optional = true }
+openssl = { version = "0.10", optional = true }
+rustls = { version = "0.20", optional = true, features = ["dangerous_configuration"] }
+webpki = { version = "0.22", optional = true }
+webpki-roots = { version = "0.22", optional = true }
 
 [features]
 default = ["proxy", "use-rustls"]

src/raw_client.rs

@@ -3,6 +3,7 @@
 //! This module contains the definition of the raw client that wraps the transport method
 
 use std::collections::{BTreeMap, BTreeSet, HashMap, VecDeque};
+use std::convert::TryFrom;
 use std::io::{BufRead, BufReader, Read, Write};
 use std::mem::drop;
 use std::net::{TcpStream, ToSocketAddrs};
@@ -24,7 +25,9 @@ use openssl::ssl::{SslConnector, SslMethod, SslStream, SslVerifyMode};
     any(feature = "default", feature = "use-rustls"),
     not(feature = "use-openssl")
 ))]
-use rustls::{ClientConfig, ClientSession, StreamOwned};
+use rustls::{
+    ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, ServerName, StreamOwned,
+};
 
 #[cfg(any(feature = "default", feature = "proxy"))]
 use socks::{Socks5Stream, TargetAddr, ToTargetAddr};
@@ -277,19 +280,23 @@ impl RawClient<ElectrumSslStream> {
 ))]
 mod danger {
     use rustls;
-    use webpki;
+    use rustls::client::ServerCertVerified;
+    use rustls::{Certificate, Error, ServerName};
+    use std::time::SystemTime;
 
     pub struct NoCertificateVerification {}
 
-    impl rustls::ServerCertVerifier for NoCertificateVerification {
+    impl rustls::client::ServerCertVerifier for NoCertificateVerification {
         fn verify_server_cert(
             &self,
-            _roots: &rustls::RootCertStore,
-            _presented_certs: &[rustls::Certificate],
-            _dns_name: webpki::DNSNameRef<'_>,
-            _ocsp: &[u8],
-        ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-            Ok(rustls::ServerCertVerified::assertion())
+            _end_entity: &Certificate,
+            _intermediates: &[Certificate],
+            _server_name: &ServerName,
+            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _ocsp_response: &[u8],
+            _now: SystemTime,
+        ) -> Result<ServerCertVerified, Error> {
+            Ok(ServerCertVerified::assertion())
         }
     }
 }
@@ -299,7 +306,7 @@ mod danger {
     not(feature = "use-openssl")
 ))]
 /// Transport type used to establish a Rustls TLS encrypted/authenticated connection with the server
-pub type ElectrumSslStream = StreamOwned<ClientSession, TcpStream>;
+pub type ElectrumSslStream = StreamOwned<ClientConnection, TcpStream>;
 #[cfg(all(
     any(feature = "default", feature = "use-rustls"),
     not(feature = "use-openssl")
@@ -341,26 +348,37 @@ impl RawClient<ElectrumSslStream> {
         validate_domain: bool,
         tcp_stream: TcpStream,
     ) -> Result<Self, Error> {
-        let mut config = ClientConfig::new();
-        if validate_domain {
+        let builder = ClientConfig::builder().with_safe_defaults();
+
+        let config = if validate_domain {
             socket_addr.domain().ok_or(Error::MissingDomain)?;
 
+            let mut store = RootCertStore::empty();
+            store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.into_iter().map(|t| {
+                OwnedTrustAnchor::from_subject_spki_name_constraints(
+                    t.subject,
+                    t.spki,
+                    t.name_constraints,
+                )
+            }));
+
             // TODO: cert pinning
-            config
-                .root_store
-                .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+            builder.with_root_certificates(store).with_no_client_auth()
         } else {
-            config
-                .dangerous()
-                .set_certificate_verifier(std::sync::Arc::new(danger::NoCertificateVerification {}))
-        }
+            builder
+                .with_custom_certificate_verifier(std::sync::Arc::new(
+                    danger::NoCertificateVerification {},
+                ))
+                .with_no_client_auth()
+        };
 
         let domain = socket_addr.domain().unwrap_or("NONE").to_string();
-        let session = ClientSession::new(
-            &std::sync::Arc::new(config),
-            webpki::DNSNameRef::try_from_ascii_str(&domain)
+        let session = ClientConnection::new(
+            std::sync::Arc::new(config),
+            ServerName::try_from(domain.as_str())
                 .map_err(|_| Error::InvalidDNSNameError(domain.clone()))?,
-        );
+        )
+        .map_err(Error::CouldNotCreateConnection)?;
         let stream = StreamOwned::new(session, tcp_stream);
 
         Ok(stream.into())

src/types.rs

@@ -303,6 +303,10 @@ pub enum Error {
     /// Broken IPC communication channel: the other thread probably has exited
     Mpsc,
 
+    #[cfg(feature = "use-rustls")]
+    /// Could not create a rustls client connection
+    CouldNotCreateConnection(rustls::Error),
+
     #[cfg(feature = "use-openssl")]
     /// Invalid OpenSSL method used
     InvalidSslMethod(openssl::error::ErrorStack),
@@ -323,6 +327,8 @@ impl Display for Error {
             Error::SslHandshakeError(e) => Display::fmt(e, f),
             #[cfg(feature = "use-openssl")]
             Error::InvalidSslMethod(e) => Display::fmt(e, f),
+            #[cfg(feature = "use-rustls")]
+            Error::CouldNotCreateConnection(e) => Display::fmt(e, f),
 
             Error::Message(e) => f.write_str(e),
             Error::InvalidDNSNameError(domain) => write!(f, "Invalid domain name {} not matching SSL certificate", domain),