Update to rustls 0.22 alpha

Cargo.toml

@@ -14,7 +14,7 @@ exclude = ["/.github", "/examples", "/scripts"]
 
 [dependencies]
 tokio = "1.0"
-rustls = { version = "0.21.6", default-features = false }
+rustls = { version = "=0.22.0-alpha.2", default-features = false }
 
 [features]
 default = ["logging", "tls12"]
@@ -29,6 +29,6 @@ argh = "0.1"
 tokio = { version = "1.0", features = ["full"] }
 futures-util = "0.3.1"
 lazy_static = "1"
-webpki-roots = "0.25"
-rustls-pemfile = "1"
-webpki = { package = "rustls-webpki", version = "0.101.2", features = ["alloc", "std"] }
+webpki-roots = "=0.26.0-alpha.1"
+rustls-pemfile = "=2.0.0-alpha.1"
+webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.2", features = ["alloc", "std"] }

examples/client.rs

@@ -8,7 +8,6 @@ use std::sync::Arc;
 use argh::FromArgs;
 use tokio::io::{copy, split, stdin as tokio_stdin, stdout as tokio_stdout, AsyncWriteExt};
 use tokio::net::TcpStream;
-use tokio_rustls::rustls::{self, OwnedTrustAnchor};
 use tokio_rustls::TlsConnector;
 
 /// Tokio Rustls client example
@@ -45,24 +44,11 @@ async fn main() -> io::Result<()> {
     let mut root_cert_store = rustls::RootCertStore::empty();
     if let Some(cafile) = &options.cafile {
         let mut pem = BufReader::new(File::open(cafile)?);
-        let certs = rustls_pemfile::certs(&mut pem)?;
-        let trust_anchors = certs.iter().map(|cert| {
-            let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        });
-        root_cert_store.add_trust_anchors(trust_anchors);
+        for cert in rustls_pemfile::certs(&mut pem) {
+            root_cert_store.add(cert?).unwrap();
+        }
     } else {
-        root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     }
 
     let config = rustls::ClientConfig::builder()

examples/server.rs

@@ -8,8 +8,8 @@ use argh::FromArgs;
 use rustls_pemfile::{certs, rsa_private_keys};
 use tokio::io::{copy, sink, split, AsyncWriteExt};
 use tokio::net::TcpListener;
-use tokio_rustls::rustls::{self, Certificate, PrivateKey};
 use tokio_rustls::TlsAcceptor;
+use webpki::types::{CertificateDer, PrivateKeyDer};
 
 /// Tokio Rustls server example
 #[derive(FromArgs)]
@@ -31,16 +31,15 @@ struct Options {
     echo_mode: bool,
 }
 
-fn load_certs(path: &Path) -> io::Result<Vec<Certificate>> {
-    certs(&mut BufReader::new(File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid cert"))
-        .map(|mut certs| certs.drain(..).map(Certificate).collect())
+fn load_certs(path: &Path) -> io::Result<Vec<CertificateDer<'static>>> {
+    certs(&mut BufReader::new(File::open(path)?)).collect()
 }
 
-fn load_keys(path: &Path) -> io::Result<Vec<PrivateKey>> {
+fn load_keys(path: &Path) -> io::Result<PrivateKeyDer<'static>> {
     rsa_private_keys(&mut BufReader::new(File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"))
-        .map(|mut keys| keys.drain(..).map(PrivateKey).collect())
+        .next()
+        .unwrap()
+        .map(Into::into)
 }
 
 #[tokio::main]
@@ -53,13 +52,13 @@ async fn main() -> io::Result<()> {
         .next()
         .ok_or_else(|| io::Error::from(io::ErrorKind::AddrNotAvailable))?;
     let certs = load_certs(&options.cert)?;
-    let mut keys = load_keys(&options.key)?;
+    let key = load_keys(&options.key)?;
     let flag_echo = options.echo_mode;
 
     let config = rustls::ServerConfig::builder()
         .with_safe_defaults()
         .with_no_client_auth()
-        .with_single_cert(certs, keys.remove(0))
+        .with_single_cert(certs, key)
         .map_err(|err| io::Error::new(io::ErrorKind::InvalidInput, err))?;
     let acceptor = TlsAcceptor::from(Arc::new(config));
 

src/client.rs

@@ -1,9 +1,15 @@
-use super::*;
-use crate::common::IoSession;
+use std::io;
 #[cfg(unix)]
 use std::os::unix::io::{AsRawFd, RawFd};
 #[cfg(windows)]
 use std::os::windows::io::{AsRawSocket, RawSocket};
+use std::pin::Pin;
+use std::task::{Context, Poll};
+
+use rustls::ClientConnection;
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+
+use crate::common::{IoSession, Stream, TlsState};
 
 /// A wrapper around an underlying raw stream which implements the TLS or SSL
 /// protocol.

src/common/handshake.rs

@@ -1,12 +1,14 @@
-use crate::common::{Stream, TlsState};
-use rustls::{ConnectionCommon, SideData};
 use std::future::Future;
 use std::ops::{Deref, DerefMut};
 use std::pin::Pin;
 use std::task::{Context, Poll};
 use std::{io, mem};
+
+use rustls::{ConnectionCommon, SideData};
 use tokio::io::{AsyncRead, AsyncWrite};
 
+use crate::common::{Stream, TlsState};
+
 pub(crate) trait IoSession {
     type Io;
     type Session;

src/common/mod.rs

@@ -1,13 +1,14 @@
-mod handshake;
-
-pub(crate) use handshake::{IoSession, MidHandshake};
-use rustls::{ConnectionCommon, SideData};
 use std::io::{self, IoSlice, Read, Write};
 use std::ops::{Deref, DerefMut};
 use std::pin::Pin;
 use std::task::{Context, Poll};
+
+use rustls::{ConnectionCommon, SideData};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 
+mod handshake;
+pub(crate) use handshake::{IoSession, MidHandshake};
+
 #[derive(Debug)]
 pub enum TlsState {
     #[cfg(feature = "early-data")]

src/common/test_stream.rs

@@ -1,12 +1,14 @@
-use super::Stream;
-use futures_util::future::poll_fn;
-use futures_util::task::noop_waker_ref;
-use rustls::{ClientConnection, Connection, ServerConnection};
 use std::io::{self, Cursor, Read, Write};
 use std::pin::Pin;
 use std::task::{Context, Poll};
+
+use futures_util::future::poll_fn;
+use futures_util::task::noop_waker_ref;
+use rustls::{ClientConnection, Connection, ServerConnection};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf};
 
+use super::Stream;
+
 struct Good<'a>(&'a mut Connection);
 
 impl<'a> AsyncRead for Good<'a> {

src/lib.rs

@@ -36,6 +36,21 @@
 //!
 //! see <https://github.com/tokio-rs/tls/issues/41>
 
+use std::future::Future;
+use std::io;
+#[cfg(unix)]
+use std::os::unix::io::{AsRawFd, RawFd};
+#[cfg(windows)]
+use std::os::windows::io::{AsRawSocket, RawSocket};
+use std::pin::Pin;
+use std::sync::Arc;
+use std::task::{Context, Poll};
+
+pub use rustls;
+use rustls::crypto::ring::Ring;
+use rustls::{ClientConfig, ClientConnection, CommonState, ServerConfig, ServerConnection};
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+
 macro_rules! ready {
     ( $e:expr ) => {
         match $e {
@@ -47,39 +62,25 @@ macro_rules! ready {
 
 pub mod client;
 mod common;
+use common::{MidHandshake, TlsState};
 pub mod server;
 
-use common::{MidHandshake, Stream, TlsState};
-use rustls::{ClientConfig, ClientConnection, CommonState, ServerConfig, ServerConnection};
-use std::future::Future;
-use std::io;
-#[cfg(unix)]
-use std::os::unix::io::{AsRawFd, RawFd};
-#[cfg(windows)]
-use std::os::windows::io::{AsRawSocket, RawSocket};
-use std::pin::Pin;
-use std::sync::Arc;
-use std::task::{Context, Poll};
-use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
-
-pub use rustls;
-
 /// A wrapper around a `rustls::ClientConfig`, providing an async `connect` method.
 #[derive(Clone)]
 pub struct TlsConnector {
-    inner: Arc<ClientConfig>,
+    inner: Arc<ClientConfig<Ring>>,
     #[cfg(feature = "early-data")]
     early_data: bool,
 }
 
 /// A wrapper around a `rustls::ServerConfig`, providing an async `accept` method.
 #[derive(Clone)]
 pub struct TlsAcceptor {
-    inner: Arc<ServerConfig>,
+    inner: Arc<ServerConfig<Ring>>,
 }
 
-impl From<Arc<ClientConfig>> for TlsConnector {
-    fn from(inner: Arc<ClientConfig>) -> TlsConnector {
+impl From<Arc<ClientConfig<Ring>>> for TlsConnector {
+    fn from(inner: Arc<ClientConfig<Ring>>) -> TlsConnector {
         TlsConnector {
             inner,
             #[cfg(feature = "early-data")]
@@ -88,8 +89,8 @@ impl From<Arc<ClientConfig>> for TlsConnector {
     }
 }
 
-impl From<Arc<ServerConfig>> for TlsAcceptor {
-    fn from(inner: Arc<ServerConfig>) -> TlsAcceptor {
+impl From<Arc<ServerConfig<Ring>>> for TlsAcceptor {
+    fn from(inner: Arc<ServerConfig<Ring>>) -> TlsAcceptor {
         TlsAcceptor { inner }
     }
 }
@@ -210,9 +211,10 @@ where
     /// # Example
     ///
     /// ```no_run
+    /// # use rustls::crypto::ring::Ring;
     /// # fn choose_server_config(
     /// #     _: rustls::server::ClientHello,
-    /// # ) -> std::sync::Arc<rustls::ServerConfig> {
+    /// # ) -> std::sync::Arc<rustls::ServerConfig<Ring>> {
     /// #     unimplemented!();
     /// # }
     /// # #[allow(unused_variables)]
@@ -304,11 +306,11 @@ where
         self.accepted.client_hello()
     }
 
-    pub fn into_stream(self, config: Arc<ServerConfig>) -> Accept<IO> {
+    pub fn into_stream(self, config: Arc<ServerConfig<Ring>>) -> Accept<IO> {
         self.into_stream_with(config, |_| ())
     }
 
-    pub fn into_stream_with<F>(self, config: Arc<ServerConfig>, f: F) -> Accept<IO>
+    pub fn into_stream_with<F>(self, config: Arc<ServerConfig<Ring>>, f: F) -> Accept<IO>
     where
         F: FnOnce(&mut ServerConnection),
     {

src/server.rs

@@ -1,10 +1,15 @@
+use std::io;
 #[cfg(unix)]
 use std::os::unix::io::{AsRawFd, RawFd};
 #[cfg(windows)]
 use std::os::windows::io::{AsRawSocket, RawSocket};
+use std::pin::Pin;
+use std::task::{Context, Poll};
 
-use super::*;
-use crate::common::IoSession;
+use rustls::ServerConnection;
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+
+use crate::common::{IoSession, Stream, TlsState};
 
 /// A wrapper around an underlying raw stream which implements the TLS or SSL
 /// protocol.

tests/badssl.rs

@@ -2,16 +2,17 @@ use std::io;
 use std::net::ToSocketAddrs;
 use std::sync::Arc;
 
+use rustls::crypto::ring::Ring;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio_rustls::{
     client::TlsStream,
-    rustls::{self, ClientConfig, OwnedTrustAnchor},
+    rustls::{self, ClientConfig},
     TlsConnector,
 };
 
 async fn get(
-    config: Arc<ClientConfig>,
+    config: Arc<ClientConfig<Ring>>,
     domain: &str,
     port: u16,
 ) -> io::Result<(TlsStream<TcpStream>, String)> {
@@ -34,13 +35,7 @@ async fn get(
 #[tokio::test]
 async fn test_tls12() -> io::Result<()> {
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     let config = rustls::ClientConfig::builder()
         .with_safe_default_cipher_suites()
         .with_safe_default_kx_groups()
@@ -72,13 +67,7 @@ fn test_tls13() {
 #[tokio::test]
 async fn test_modern() -> io::Result<()> {
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     let config = rustls::ClientConfig::builder()
         .with_safe_defaults()
         .with_root_certificates(root_store)