meshtls-rustls: update to rustls 0.20 and tokio-rustls 0.23 (#1362)

This branch updates linkerd-meshtls-rustls to use rustls version
0.20, tokio-rustls 0.23, and webpki 0.22.

Co-authored-by: Oliver Gould <[email protected]>

Author: hawkw

Cargo.lock

@@ -945,6 +945,7 @@ dependencies = [
  "linkerd-tracing",
  "linkerd2-proxy-api",
  "regex",
+ "rustls-pemfile",
  "socket2 0.4.2",
  "tokio",
  "tokio-rustls",
@@ -953,7 +954,6 @@ dependencies = [
  "tower",
  "tracing",
  "tracing-subscriber",
- "webpki",
 ]
 
 [[package]]
@@ -1235,6 +1235,7 @@ dependencies = [
  "linkerd-tls",
  "linkerd-tls-test-util",
  "ring",
+ "rustls-pemfile",
  "thiserror",
  "tokio",
  "tokio-rustls",
@@ -2171,17 +2172,25 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.19.1"
+version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7"
+checksum = "9b5ac6078ca424dc1d3ae2328526a76787fecc7f8011f520e3276730e711fc95"
 dependencies = [
- "base64",
  "log",
  "ring",
  "sct",
  "webpki",
 ]
 
+[[package]]
+name = "rustls-pemfile"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
+dependencies = [
+ "base64",
+]
+
 [[package]]
 name = "ryu"
 version = "1.0.5"
@@ -2196,9 +2205,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
 [[package]]
 name = "sct"
-version = "0.6.1"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
 dependencies = [
  "ring",
  "untrusted",
@@ -2446,9 +2455,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.22.0"
+version = "0.23.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
+checksum = "4baa378e417d780beff82bf54ceb0d195193ea6a00c14e22359e7f39456b5689"
 dependencies = [
  "rustls",
  "tokio",
@@ -2866,8 +2875,8 @@ dependencies = [
 
 [[package]]
 name = "webpki"
-version = "0.21.4"
-source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.21#a4acca51d3dab4c99680e570dd4498b0c8b13b94"
+version = "0.22.0"
+source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
 dependencies = [
  "ring",
  "untrusted",

Cargo.toml

@@ -76,4 +76,4 @@ debug = false
 lto = true
 
 [patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21" }
+webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" }

linkerd/app/inbound/fuzz/Cargo.toml

@@ -35,4 +35,4 @@ test = true
 doc = false
 
 [patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21"}
+webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22"}

linkerd/app/integration/Cargo.toml

@@ -33,11 +33,11 @@ regex = "1"
 socket2 = "0.4"
 tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
 tokio-stream = { version = "0.1.8", features = ["sync"] }
-tokio-rustls = "0.22"
+tokio-rustls = "0.23.1"
+rustls-pemfile = "0.2.1"
 tower = { version = "0.4.10", default-features = false }
 tonic = { version = "0.6", default-features = false }
 tracing = "0.1.29"
-webpki = "0.21"
 tracing-subscriber = { version = "0.3", default-features = false, features = ["fmt", "std"] }
 
 [dev-dependencies]

linkerd/app/integration/src/client.rs

@@ -1,14 +1,16 @@
 use super::*;
 use linkerd_app_core::proxy::http::trace;
 use std::io;
-use std::sync::{Arc, Mutex};
+use std::{
+    convert::TryFrom,
+    sync::{Arc, Mutex},
+};
 use tokio::net::TcpStream;
 use tokio::sync::{mpsc, oneshot};
 use tokio::task::JoinHandle;
-use tokio_rustls::rustls::ClientConfig;
+use tokio_rustls::rustls::{self, ClientConfig};
 use tracing::info_span;
 use tracing::instrument::Instrument;
-use webpki::{DNSName, DNSNameRef};
 
 type ClientError = hyper::Error;
 type Request = http::Request<hyper::Body>;
@@ -18,17 +20,15 @@ type Sender = mpsc::UnboundedSender<(Request, oneshot::Sender<Result<Response, C
 #[derive(Clone)]
 pub struct TlsConfig {
     client_config: Arc<ClientConfig>,
-    name: DNSName,
+    name: rustls::ServerName,
 }
 
 impl TlsConfig {
     pub fn new(client_config: Arc<ClientConfig>, name: &str) -> Self {
-        let dns_name = DNSNameRef::try_from_ascii_str(name)
-            .expect("no_fail")
-            .to_owned();
+        let name = rustls::ServerName::try_from(name).expect("name must be a valid DNS name");
         TlsConfig {
             client_config,
-            name: dns_name,
+            name,
         }
     }
 }
@@ -327,7 +327,7 @@ impl tower::Service<hyper::Uri> for Conn {
             }) = tls
             {
                 let io = tokio_rustls::TlsConnector::from(client_config.clone())
-                    .connect(DNSName::as_ref(&name), io)
+                    .connect(name, io)
                     .await?;
                 Box::pin(io) as Pin<Box<dyn Io + Send + 'static>>
             } else {

linkerd/app/integration/src/identity.rs

@@ -34,7 +34,9 @@ type Certify = Box<
         > + Send,
 >;
 
-const TLS_VERSIONS: &[rustls::ProtocolVersion] = &[rustls::ProtocolVersion::TLSv1_3];
+static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
+static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
+    &[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256];
 
 struct Certificates {
     pub leaf: Vec<u8>,
@@ -48,14 +50,11 @@ impl Certificates {
     {
         let f = fs::File::open(p)?;
         let mut r = io::BufReader::new(f);
-        let certs = rustls::internal::pemfile::certs(&mut r)
+        let mut certs = rustls_pemfile::certs(&mut r)
             .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))?;
-        let leaf = certs
-            .get(0)
-            .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "no certs in pemfile"))?
-            .as_ref()
-            .into();
-        let intermediates = certs[1..].iter().map(|i| i.as_ref().into()).collect();
+        let mut certs = certs.drain(..);
+        let leaf = certs.next().expect("no leaf cert in pemfile");
+        let intermediates = certs.collect();
 
         Ok(Certificates {
             leaf,
@@ -95,21 +94,30 @@ impl Identity {
     ) -> (Arc<rustls::ClientConfig>, Arc<rustls::ServerConfig>) {
         use std::io::Cursor;
         let mut roots = rustls::RootCertStore::empty();
-        roots
-            .add_pem_file(&mut Cursor::new(trust_anchors))
-            .expect("add pem file");
-
-        let mut client_config = rustls::ClientConfig::new();
-        client_config.root_store = roots;
-
-        let mut server_config = rustls::ServerConfig::new(
-            rustls::AllowAnyAnonymousOrAuthenticatedClient::new(client_config.root_store.clone()),
-        );
-
-        server_config.versions = TLS_VERSIONS.to_vec();
-        server_config
-            .set_single_cert(certs.chain(), key)
-            .expect("set server resover");
+        let trust_anchors =
+            rustls_pemfile::certs(&mut Cursor::new(trust_anchors)).expect("error parsing pemfile");
+        let (added, skipped) = roots.add_parsable_certificates(&trust_anchors[..]);
+        assert_ne!(added, 0, "trust anchors must include at least one cert");
+        assert_eq!(skipped, 0, "no certs in pemfile should be invalid");
+
+        let client_config = rustls::ClientConfig::builder()
+            .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES)
+            .with_safe_default_kx_groups()
+            .with_protocol_versions(TLS_VERSIONS)
+            .expect("client config must be valid")
+            .with_root_certificates(roots.clone())
+            .with_no_client_auth();
+
+        let server_config = rustls::ServerConfig::builder()
+            .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES)
+            .with_safe_default_kx_groups()
+            .with_protocol_versions(TLS_VERSIONS)
+            .expect("server config must be valid")
+            .with_client_cert_verifier(rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
+                roots,
+            ))
+            .with_single_cert(certs.chain(), key)
+            .unwrap();
 
         (Arc::new(client_config), Arc::new(server_config))
     }

linkerd/dns/name/src/name.rs

@@ -165,7 +165,7 @@ fn is_valid_reference_dns_id(hostname: untrusted::Input<'_>) -> bool {
 // https://tools.ietf.org/html/rfc5280#section-4.2.1.6:
 //
 //   When the subjectAltName extension contains a domain name system
-//   label, the domain name MUST be stored in the dNSName (an IA5String).
+//   label, the domain name MUST be stored in the DNSName (an IA5String).
 //   The name MUST be in the "preferred name syntax", as specified by
 //   Section 3.5 of [RFC1034] and as modified by Section 2.1 of
 //   [RFC1123].

linkerd/dns/src/lib.rs

@@ -142,7 +142,7 @@ mod tests {
     #[test]
     fn test_dns_name_parsing() {
         // Make sure `dns::Name`'s validation isn't too strict. It is
-        // implemented in terms of `webpki::DNSName` which has many more tests
+        // implemented in terms of `webpki::DnsName` which has many more tests
         // at https://github.com/briansmith/webpki/blob/master/tests/dns_name_tests.rs.
 
         struct Case {

linkerd/meshtls/rustls/Cargo.toml

@@ -18,11 +18,12 @@ linkerd-stack = { path = "../../stack" }
 linkerd-tls = { path = "../../tls" }
 linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
 ring = { version = "0.16.19", features = ["std"] }
+rustls-pemfile = "0.2"
 thiserror = "1"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
-tokio-rustls = "0.22"
+tokio-rustls = { version = "0.23.1", features = ["dangerous_configuration"] }
 tracing = "0.1"
-webpki = "0.21"
+webpki = "0.22"
 
 [dev-dependencies]
 linkerd-tls-test-util = { path = "../../tls/test-util" }

linkerd/meshtls/rustls/src/client.rs

@@ -2,9 +2,9 @@ use futures::prelude::*;
 use linkerd_io as io;
 use linkerd_stack::{NewService, Service};
 use linkerd_tls::{client::AlpnProtocols, ClientTls, HasNegotiatedProtocol, NegotiatedProtocolRef};
-use std::{pin::Pin, sync::Arc, task::Context};
+use std::{convert::TryFrom, pin::Pin, sync::Arc, task::Context};
 use tokio::sync::watch;
-use tokio_rustls::rustls::{ClientConfig, Session};
+use tokio_rustls::rustls::{self, ClientConfig};
 
 /// A `NewService` that produces `Connect` services from a dynamic TLS configuration.
 #[derive(Clone)]
@@ -15,7 +15,7 @@ pub struct NewClient {
 /// A `Service` that initiates client-side TLS connections.
 #[derive(Clone)]
 pub struct Connect {
-    server_id: webpki::DNSName,
+    server_id: rustls::ServerName,
     config: Arc<ClientConfig>,
 }
 
@@ -68,9 +68,8 @@ impl Connect {
             }
         };
 
-        let server_id = webpki::DNSNameRef::try_from_ascii(client_tls.server_id.as_bytes())
-            .expect("identity must be a valid DNS name")
-            .to_owned();
+        let server_id = rustls::ServerName::try_from(client_tls.server_id.as_str())
+            .expect("identity must be a valid DNS name");
 
         Self { server_id, config }
     }
@@ -90,7 +89,8 @@ where
 
     fn call(&mut self, io: I) -> Self::Future {
         tokio_rustls::TlsConnector::from(self.config.clone())
-            .connect(self.server_id.as_ref(), io)
+            // XXX(eliza): it's a bummer that the server name has to be cloned here...
+            .connect(self.server_id.clone(), io)
             .map_ok(ClientIo)
     }
 }
@@ -145,7 +145,7 @@ impl<I> HasNegotiatedProtocol for ClientIo<I> {
         self.0
             .get_ref()
             .1
-            .get_alpn_protocol()
+            .alpn_protocol()
             .map(NegotiatedProtocolRef)
     }
 }