Skip to content

Commit

Permalink
upgrade rustls to 0.23
Browse files Browse the repository at this point in the history
* With rustls 0.23 there is no longer a dependency on ring, allowing for
  easier compilation for various targets.
  • Loading branch information
nickfarrow committed Apr 17, 2024
1 parent 898f230 commit 1eea0aa
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 23 deletions.
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ serde_json = { version = "^1.0" }

# Optional dependencies
openssl = { version = "0.10", optional = true }
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
rustls = { version = "0.23", optional = true }
webpki-roots = { version = "0.25", optional = true }

byteorder = { version = "1.0", optional = true }
Expand Down
67 changes: 45 additions & 22 deletions src/raw_client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,12 @@ use bitcoin::{Script, Txid};

#[cfg(feature = "use-openssl")]
use openssl::ssl::{SslConnector, SslMethod, SslStream, SslVerifyMode};
use rustls::pki_types::{Der, TrustAnchor};
#[cfg(all(
any(feature = "default", feature = "use-rustls"),
not(feature = "use-openssl")
))]
use rustls::{
ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, ServerName, StreamOwned,
};
use rustls::{pki_types::ServerName, ClientConfig, ClientConnection, RootCertStore, StreamOwned};

#[cfg(any(feature = "default", feature = "proxy"))]
use crate::socks::{Socks5Stream, TargetAddr, ToTargetAddr};
Expand Down Expand Up @@ -287,25 +286,48 @@ impl RawClient<ElectrumSslStream> {
not(feature = "use-openssl")
))]
mod danger {
use rustls;
use rustls::client::ServerCertVerified;
use rustls::{Certificate, Error, ServerName};
use std::time::SystemTime;
use raw_client::ServerName;
use rustls::client::danger::ServerCertVerified;
use rustls::pki_types::CertificateDer;
use rustls::pki_types::UnixTime;
use rustls::Error;

#[derive(Debug)]
pub struct NoCertificateVerification {}

impl rustls::client::ServerCertVerifier for NoCertificateVerification {
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &Certificate,
_intermediates: &[Certificate],
_end_entity: &CertificateDer,
_intermediates: &[CertificateDer],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8],
_now: SystemTime,
_now: UnixTime,
) -> Result<ServerCertVerified, Error> {
Ok(ServerCertVerified::assertion())
}

fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
vec![]
}
}
}

Expand Down Expand Up @@ -358,24 +380,25 @@ impl RawClient<ElectrumSslStream> {
) -> Result<Self, Error> {
use std::convert::TryFrom;

let builder = ClientConfig::builder().with_safe_defaults();
let builder = ClientConfig::builder();

let config = if validate_domain {
socket_addr.domain().ok_or(Error::MissingDomain)?;

let mut store = RootCertStore::empty();
store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.into_iter().map(|t| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
t.subject,
t.spki,
t.name_constraints,
)
}));
let store = webpki_roots::TLS_SERVER_ROOTS
.into_iter()
.map(|t| TrustAnchor {
subject: Der::from_slice(t.subject),
subject_public_key_info: Der::from_slice(t.spki),
name_constraints: t.name_constraints.map(|nc| Der::from_slice(nc)),
})
.collect::<RootCertStore>();

// TODO: cert pinning
builder.with_root_certificates(store).with_no_client_auth()
} else {
builder
.dangerous()
.with_custom_certificate_verifier(std::sync::Arc::new(
danger::NoCertificateVerification {},
))
Expand All @@ -385,7 +408,7 @@ impl RawClient<ElectrumSslStream> {
let domain = socket_addr.domain().unwrap_or("NONE").to_string();
let session = ClientConnection::new(
std::sync::Arc::new(config),
ServerName::try_from(domain.as_str())
ServerName::try_from(domain.clone())
.map_err(|_| Error::InvalidDNSNameError(domain.clone()))?,
)
.map_err(Error::CouldNotCreateConnection)?;
Expand Down

0 comments on commit 1eea0aa

Please sign in to comment.