Skip to content

Commit

Permalink
chore: upgrade rustls to 0.23 (#29)
Browse files Browse the repository at this point in the history
Co-authored-by: snek <the@snek.dev>
  • Loading branch information
bartlomieju and devsnek authored Jul 10, 2024
1 parent 3814237 commit 8237025
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 53 deletions.
42 changes: 27 additions & 15 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@ trace = []

[dependencies]
tokio = { version = "1", features = [ "io-util", "net", "rt", "sync" ] }
rustls = "0.21"
rustls = { version = "0.23", default-features = false, features = ["logging", "std", "tls12", "ring"] }
futures = "0.3"
socket2 = "0.5"

[dev_dependencies]
[dev-dependencies]
tokio = { version = "1", features = [ "full" ] }
rustls-pemfile = "2.0.0"
ntest = "0.9"
Expand Down
9 changes: 9 additions & 0 deletions src/adapter.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
use crate::trace;
use rustls::server::AcceptedAlert;
use rustls::server::Acceptor;
use rustls::Connection;
use std::io;
Expand Down Expand Up @@ -107,3 +108,11 @@ pub fn read_acceptor(
let mut read = ImplementReadTrait(tcp);
acceptor.read_tls(&mut read)
}

pub fn write_acceptor_alert(
tcp: &TcpStream,
mut alert: AcceptedAlert,
) -> io::Result<()> {
let mut write = ImplementWriteTrait(tcp);
alert.write_all(&mut write)
}
84 changes: 48 additions & 36 deletions src/stream.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ use crate::adapter::clone_error;
use crate::adapter::clone_result;
use crate::adapter::read_acceptor;
use crate::adapter::rustls_to_io_error;
use crate::adapter::write_acceptor_alert;
use crate::connection_stream::ConnectionStream;
use crate::handshake::handshake_task;
use crate::handshake::HandshakeResult;
Expand Down Expand Up @@ -178,42 +179,55 @@ impl TlsStream {
server_config_provider: ServerConfigProvider,
) -> Result<ServerConnection, io::Error> {
let mut acceptor = Acceptor::default();
let tls = loop {
loop {
tcp_handshake.readable().await?;
read_acceptor(&tcp_handshake, &mut acceptor)?;
if let Some(accepted) = acceptor.accept().map_err(rustls_to_io_error)? {
let config = match server_config_provider(accepted.client_hello()).await
{
Ok(config) => config,
Err(err) => {
// This is a bad case. The provider was supposed to give us a config, but instead it failed.
//
// There's no easy way to reject an acceptor, and we only have an Arc for the stream so we can't close
// it. Instead we send a fatal alert manually which is effectively going to close the stream.
//
// Wireshark packet decode:
// TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Close Notify)
// Content Type: Alert (21)
// Version: TLS 1.2 (0x0303)
// Length: 2
// Alert Message
// Level: Fatal (2)
// Description: Close Notify (0)
const FATAL_ALERT: &[u8] = b"\x15\x03\x03\x00\x02\x02\x00";
for c in FATAL_ALERT {
tcp_handshake.writable().await?;
tcp_handshake.try_write(&[*c])?;
}
return Err(err);
read_acceptor(tcp_handshake, &mut acceptor)?;

let accepted = match acceptor.accept() {
Ok(Some(accepted)) => accepted,
Ok(None) => continue,
Err((e, alert)) => {
tcp_handshake.writable().await?;
write_acceptor_alert(tcp_handshake, alert)?;
return Err(rustls_to_io_error(e));
}
};

let config = match server_config_provider(accepted.client_hello()).await {
Ok(config) => config,
Err(err) => {
// This is a bad case. The provider was supposed to give us a config, but instead it failed.
//
// There's no easy way to reject an acceptor, and we only have an Arc for the stream so we can't close
// it. Instead we send a fatal alert manually which is effectively going to close the stream.
//
// Wireshark packet decode:
// TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Close Notify)
// Content Type: Alert (21)
// Version: TLS 1.2 (0x0303)
// Length: 2
// Alert Message
// Level: Fatal (2)
// Description: Close Notify (0)
const FATAL_ALERT: &[u8] = b"\x15\x03\x03\x00\x02\x02\x00";
for c in FATAL_ALERT {
tcp_handshake.writable().await?;
tcp_handshake.try_write(&[*c])?;
}
};
let tls = accepted
.into_connection(config)
.map_err(rustls_to_io_error)?;
break tls;
return Err(err);
}
};
match accepted.into_connection(config) {
Ok(tls) => {
return Ok(tls);
}
Err((e, alert)) => {
tcp_handshake.writable().await?;
write_acceptor_alert(tcp_handshake, alert)?;
return Err(rustls_to_io_error(e));
}
}
};
Ok(tls)
}
}

fn new_server_acceptor(
Expand Down Expand Up @@ -2092,9 +2106,7 @@ pub(super) mod tests {
#[rstest]
#[case(true, 1024, 1024, 1024)]
#[case(false, 1024, 1024, 1024)]
// Note that because we did the handshake first here, we lose a bit of buffer space due to
// TLS overhead on the first small write.
#[case(true, 1002, 16, 1024)]
#[case(true, 1024, 16, 1024)]
#[case(false, 1024, 16, 1024)]
#[case(true, 1024, 10000, 1)]
#[case(false, 1024, 10000, 1)]
Expand Down

0 comments on commit 8237025

Please sign in to comment.