Upgrade to rustls-0.22 and ring 0.7

Cargo.toml

@@ -1,4 +1,5 @@
 [workspace]
+resolver = "2"
 members = [
     "edgedb-errors",
     "edgedb-derive",

edgedb-protocol/Cargo.toml

@@ -12,7 +12,7 @@ readme = "README.md"
 rust-version = "1.65"
 
 [dependencies]
-bytes = "1.0.1"
+bytes = "1.5.0"
 snafu = {version="0.7.0"}
 uuid = "1.1.2"
 num-bigint = {version="0.4.3", optional=true}

edgedb-tokio/Cargo.toml

@@ -14,32 +14,30 @@ edgedb-protocol = {path = "../edgedb-protocol", version = "0.6.0" }
 edgedb-errors = {path = "../edgedb-errors", version = "0.4.1" }
 edgedb-derive = {path = "../edgedb-derive", version = "0.5.1", optional=true}
 tokio = { version="1.15", features=["net", "time", "sync", "macros"] }
-bytes = "1.0.1"
-scram = "0.6.0"
+bytes = "1.5.0"
+scram = { git="https://github.com/elprans/scram" }
 serde = { version="1.0", features=["derive"] }
 serde_json = { version="1.0", optional=true }
 sha1 = {version="0.10.1", features=["std"]}
 base16ct = {version="0.2.0", features=["alloc"]}
 log = "0.4.8"
 rand = "0.8"
 url = "2.1.1"
-tls-api = {version="0.9.0", default-features=false, features=["runtime-tokio"]}
-tls-api-not-tls = {version="0.9.0", default-features=false, features=["runtime-tokio"]}
-tls-api-rustls = {version="0.9.0", default-features=false, features=["runtime-tokio"]}
-rustls = {version="0.20.2", features=[
-    "dangerous_configuration",  # this allows insecure mode
-]}
-rustls-native-certs = "0.6.1"
-rustls-pemfile = "1.0.2"
-webpki = "0.22.0"
-webpki-roots = "0.22.2"
+tls-api = { git = "https://github.com/elprans/rust-tls-api.git", branch = "rustls-22", default-features=false, features=["runtime-tokio"]}
+tls-api-not-tls = { git = "https://github.com/elprans/rust-tls-api.git", branch = "rustls-22", default-features=false, features=["runtime-tokio"]}
+tls-api-rustls = { git = "https://github.com/elprans/rust-tls-api.git", branch = "rustls-22", default-features=false, features=["runtime-tokio"]}
+rustls = "0.22.2"
+rustls-native-certs = "0.7.0"
+rustls-pemfile = "2.0.0"
+webpki = { package = "rustls-webpki", version = "0.102.2", features = ["std"], default-features = false }
+webpki-roots = "0.26.1"
 async-trait = "0.1.52"
 anyhow = "1.0.53"  # needed for tls-api
 dirs = { version="5.0.0", optional=true }
 arc-swap = "1.5.1"
 once_cell = "1.9.0"
 tokio-stream = {version="0.1.11", optional=true}
-base64 = "0.21"
+base64 = "0.21.7"
 crc16 = "0.4.0"
 
 [target.'cfg(target_family="unix")'.dev-dependencies]

edgedb-tokio/src/builder.rs

@@ -10,7 +10,7 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use base64::Engine;
-use rustls::client::ServerCertVerifier;
+use rustls::client::danger::ServerCertVerifier;
 use serde_json::from_slice;
 use sha1::Digest;
 use tokio::fs;
@@ -1539,9 +1539,9 @@ fn set_credentials(cfg: &mut ConfigInner, creds: &Credentials)
 }
 
 fn validate_certs(data: &str) -> Result<(), Error> {
-    let anchors = tls::OwnedTrustAnchor::read_all(data)
+    let root_store = tls::read_root_cert_pem(data)
         .map_err(|e| ClientError::with_source_ref(e))?;
-    if anchors.is_empty() {
+    if root_store.is_empty() {
         return Err(ClientError::with_message(
                 "PEM data contains no certificate"));
     }
@@ -1786,59 +1786,51 @@ impl ConfigInner {
             (_, ts) => Ok(ts),
         }
     }
-    fn trust_anchors(&self) -> Vec<tls::OwnedTrustAnchor> {
-        tls::OwnedTrustAnchor::read_all(
-            self.pem_certificates.as_deref().unwrap_or("")
-        ).expect("all certificates are verified before")
-    }
     fn root_cert_store(&self) -> rustls::RootCertStore {
-        use CloudCerts::*;
-
-        let mut roots = rustls::RootCertStore::empty();
         if self.pem_certificates.is_some() {
-            roots.add_server_trust_anchors(
-                self.trust_anchors().into_iter().map(Into::into)
-            );
+            tls::read_root_cert_pem(
+                self.pem_certificates.as_deref().unwrap_or("")
+            ).expect("all certificates have been verified previously")
         } else {
-            roots.add_server_trust_anchors(
-                webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
-                    rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-                        ta.subject,
-                        ta.spki,
-                        ta.name_constraints,
-                    )
-                })
-            );
+            let mut root_store = rustls::RootCertStore {
+                roots: webpki_roots::TLS_SERVER_ROOTS.into()
+            };
             if let Some(certs) = self.cloud_certs {
                 let data = match certs {
                     // Staging certs retrieved from
                     // https://letsencrypt.org/docs/staging-environment/#root-certificates
-                    Staging => include_str!("letsencrypt_staging.pem"),
+                    CloudCerts::Staging => include_str!("letsencrypt_staging.pem"),
                     // Local nebula development root cert found in
                     // nebula/infra/terraform/local/ca/root.certificate.pem
-                    Local => include_str!("nebula_development.pem"),
+                    CloudCerts::Local => include_str!("nebula_development.pem"),
                 };
-                let pem = tls::OwnedTrustAnchor::read_all(data)
-                    .expect("embedded certs are correct");
-                roots.add_server_trust_anchors(
-                    pem.into_iter().map(Into::into)
+                root_store.extend(
+                    tls::read_root_cert_pem(data).expect("embedded certs are correct").roots
                 );
             }
+
+            root_store
         }
-        return roots;
     }
     fn make_verifier(&self, tls_security: TlsSecurity) -> Verifier {
         use TlsSecurity::*;
 
+        let root_store = Arc::new(self.root_cert_store());
+
         match tls_security {
-            Insecure => Arc::new(tls::NullVerifier) as Verifier,
-            NoHostVerification => Arc::new(tls::NoHostnameVerifier::new(
-                self.trust_anchors()
-            )) as Verifier,
-            Strict => Arc::new(rustls::client::WebPkiVerifier::new(
-                self.root_cert_store(),
-                None,
-            )) as Verifier,
+            Insecure => {
+                Arc::new(tls::NullVerifier) as Verifier
+            },
+            NoHostVerification => {
+                Arc::new(tls::NoHostnameVerifier::new(root_store)) as Verifier
+            },
+            Strict => {
+                rustls::client::WebPkiServerVerifier
+                    ::builder(root_store)
+                    .build()
+                    .expect("WebPkiServerVerifier to build correctly")
+                    as Verifier
+            },
             Default => unreachable!(),
         }
     }

edgedb-tokio/src/raw/connection.rs

@@ -18,7 +18,7 @@ use tokio::io::{AsyncWrite, AsyncWriteExt};
 use tokio::io::ReadBuf;
 use tokio::net::TcpStream;
 use tokio::time::{Instant, sleep, timeout_at};
-use webpki::DnsNameRef;
+use rustls::pki_types::DnsName;
 
 use edgedb_protocol::client_message::{ClientMessage, ClientHandshake};
 use edgedb_protocol::encoding::{Input, Output};
@@ -335,7 +335,7 @@ async fn connect3(cfg: &Config, tls: &TlsConnectorBox)
         Address::Tcp(addr@(host,_)) => {
             let conn = TcpStream::connect(addr).await
                 .map_err(ClientConnectionError::with_source)?;
-            let is_valid_dns = DnsNameRef::try_from_ascii_str(host).is_ok();
+            let is_valid_dns = DnsName::try_from(host.clone()).is_ok();
             let host = if !is_valid_dns {
                 // FIXME: https://github.com/rustls/rustls/issues/184
                 // If self.host is neither an IP address nor a valid DNS
@@ -778,7 +778,7 @@ fn is_temporary(e: &Error) -> bool {
 
 fn tls_fail(e: anyhow::Error) -> Error {
     if let Some(e) = e.downcast_ref::<rustls::Error>() {
-        if matches!(e, rustls::Error::CorruptMessage) {
+        if matches!(e, rustls::Error::InvalidMessage(_)) {
             return ProtocolTlsError::with_message(
                 "corrupt message, possibly server \
                  does not support TLS connection."