Skip to content

Update dependencies for RUSTSEC-2023-0052 #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Update dependencies for RUSTSEC-2023-0052 #487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ab7cd16
Update tokio-rustls and webpki-roots
AldaronLau Aug 22, 2023
69c99dc
CHANGES.md entries for tokio-tls and webpki-roots updates
AldaronLau Aug 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions actix-tls/CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
## Unreleased - 2023-xx-xx

- Minimum supported Rust version (MSRV) is now 1.65.
- Update tokio-rustls to 0.24
- Update webpki-roots to 0.25

## 3.0.4 - 2022-03-15

Expand Down
6 changes: 3 additions & 3 deletions actix-tls/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@ tls-openssl = { package = "openssl", version = "0.10.48", optional = true }
tokio-openssl = { version = "0.6", optional = true }

# rustls
tokio-rustls = { version = "0.23", optional = true }
webpki-roots = { version = "0.22", optional = true }
tokio-rustls = { version = "0.24", optional = true }
webpki-roots = { version = "0.25", optional = true }

# native-tls
tokio-native-tls = { version = "0.3", optional = true }
Expand All @@ -74,7 +74,7 @@ futures-util = { version = "0.3.17", default-features = false, features = ["sink
log = "0.4"
rcgen = "0.10"
rustls-pemfile = "1"
tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] }
tokio-rustls = { version = "0.24", features = ["dangerous_configuration"] }
trust-dns-resolver = "0.22"

[[example]]
Expand Down
49 changes: 25 additions & 24 deletions actix-tls/src/connect/rustls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@ pub mod reexports {
/// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
pub fn webpki_roots_cert_store() -> RootCertStore {
let mut root_certs = RootCertStore::empty();
for cert in TLS_SERVER_ROOTS.0 {
for cert in TLS_SERVER_ROOTS {
let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
cert.subject,
cert.spki,
cert.name_constraints,
);
let certs = vec![cert].into_iter();
root_certs.add_server_trust_anchors(certs);
root_certs.add_trust_anchors(certs);
}
root_certs
}
Expand Down Expand Up @@ -106,44 +106,45 @@ where
let (stream, connection) = connection.replace_io(());

match ServerName::try_from(connection.hostname()) {
Ok(host) => ConnectFut::Future {
connect: RustlsTlsConnector::from(self.connector.clone()).connect(host, stream),
Ok(host) => ConnectFut {
connect: Some(
RustlsTlsConnector::from(self.connector.clone()).connect(host, stream),
),
connection: Some(connection),
},
Err(_) => ConnectFut::InvalidDns,
Err(_) => ConnectFut {
connect: None,
connection: None,
},
}
}
}

/// Connect future for Rustls service.
#[doc(hidden)]
pub enum ConnectFut<R, IO> {
/// See issue <https://github.com/briansmith/webpki/issues/54>
InvalidDns,
Future {
connect: RustlsConnect<IO>,
connection: Option<Connection<R, ()>>,
},
pub struct ConnectFut<R, IO> {
connect: Option<RustlsConnect<IO>>,
connection: Option<Connection<R, ()>>,
}

impl<R, IO> Future for ConnectFut<R, IO>
where
R: Host,
IO: ActixStream,
{
type Output = Result<Connection<R, AsyncTlsStream<IO>>, io::Error>;
type Output = io::Result<Connection<R, AsyncTlsStream<IO>>>;

fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
match self.get_mut() {
Self::InvalidDns => Poll::Ready(Err(
io::Error::new(io::ErrorKind::Other, "rustls currently only handles hostname-based connections. See https://github.com/briansmith/webpki/issues/54")
)),
Self::Future { connect, connection } => {
let stream = ready!(Pin::new(connect).poll(cx))?;
let connection = connection.take().unwrap();
trace!("TLS handshake success: {:?}", connection.hostname());
Poll::Ready(Ok(connection.replace_io(stream).1))
}
}
let Self {
connect,
connection,
} = self.get_mut();
let Some(connect) = connect else {
return Poll::Ready(Err(io::Error::new(io::ErrorKind::InvalidInput, "actix-tls currently only handles hostname-based connections")));
};
let stream = ready!(Pin::new(connect).poll(cx))?;
let connection = connection.take().unwrap();
trace!("TLS handshake success: {:?}", connection.hostname());
Poll::Ready(Ok(connection.replace_io(stream).1))
}
}