Bump dependencies, set rust-version

2023-04-12 16:18:34 +02:00 · 2023-04-12 16:18:34 +02:00 · 3e396f8577
commit 3e396f8577
parent d40e3ce844
6 changed files with 181 additions and 145 deletions
--- a/src/client/conn.rs
+++ b/src/client/conn.rs
@ -16,30 +16,32 @@ use tokio_socks::tcp::Socks5Stream;
 #[cfg(feature = "proxy")]
 use crate::client::data::ProxyType;

-#[cfg(feature = "tls-native")]
+#[cfg(all(feature = "tls-native", not(feature = "tls-rust")))]
 use std::{fs::File, io::Read};

-#[cfg(feature = "tls-native")]
+#[cfg(all(feature = "tls-native", not(feature = "tls-rust")))]
 use native_tls::{Certificate, Identity, TlsConnector};

-#[cfg(feature = "tls-native")]
+#[cfg(all(feature = "tls-native", not(feature = "tls-rust")))]
 use tokio_native_tls::{self, TlsStream};

+#[cfg(feature = "tls-rust")]
+use rustls_pemfile::certs;
 #[cfg(feature = "tls-rust")]
 use std::{
+    convert::TryFrom,
    fs::File,
    io::{BufReader, Error, ErrorKind},
    sync::Arc,
 };
-
 #[cfg(feature = "tls-rust")]
-use webpki_roots::TLS_SERVER_ROOTS;
-
+use tokio_rustls::client::TlsStream;
 #[cfg(feature = "tls-rust")]
 use tokio_rustls::{
-    client::TlsStream,
-    rustls::{self, internal::pemfile::certs, ClientConfig, PrivateKey},
-    webpki::DNSNameRef,
+    rustls::client::{ServerCertVerified, ServerCertVerifier},
+    rustls::{
+        self, Certificate, ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerName,
+    },
    TlsConnector,
 };

@ -157,7 +159,7 @@ impl Connection {
        Ok(Transport::new(&config, framed, tx))
    }

-    #[cfg(feature = "tls-native")]
+    #[cfg(all(feature = "tls-native", not(feature = "tls-rust")))]
    async fn new_secured_transport(
        config: &Config,
        tx: UnboundedSender<Message>,
@ -221,44 +223,46 @@ impl Connection {
        config: &Config,
        tx: UnboundedSender<Message>,
    ) -> error::Result<Transport<TlsStream<TcpStream>>> {
-        let mut builder = ClientConfig::default();
-        builder
-            .root_store
-            .add_server_trust_anchors(&TLS_SERVER_ROOTS);
+        struct DangerousAcceptAllVerifier;

-        if let Some(cert_path) = config.cert_path() {
-            if let Ok(mut file) = File::open(cert_path) {
-                let mut cert_data = BufReader::new(file);
-                builder
-                    .root_store
-                    .add_pem_file(&mut cert_data)
-                    .map_err(|_| {
-                        error::Error::Io(Error::new(ErrorKind::InvalidInput, "invalid cert"))
-                    })?;
-                log::info!("Added {} to trusted certificates.", cert_path);
-            } else {
-                return Err(error::Error::InvalidConfig {
-                    path: config.path(),
-                    cause: error::ConfigError::FileMissing {
-                        file: cert_path.to_string(),
-                    },
-                });
+        impl ServerCertVerifier for DangerousAcceptAllVerifier {
+            fn verify_server_cert(
+                &self,
+                _: &Certificate,
+                _: &[Certificate],
+                _: &ServerName,
+                _: &mut dyn Iterator<Item = &[u8]>,
+                _: &[u8],
+                _: std::time::SystemTime,
+            ) -> Result<ServerCertVerified, rustls::Error> {
+                return Ok(ServerCertVerified::assertion());
            }
        }

-        if let Some(client_cert_path) = config.client_cert_path() {
-            if let Ok(mut file) = File::open(client_cert_path) {
+        enum ClientAuth {
+            SingleCert(Vec<Certificate>, PrivateKey),
+            NoClientAuth,
+        }
+
+        let client_auth = if let Some(client_cert_path) = config.client_cert_path() {
+            if let Ok(file) = File::open(client_cert_path) {
                let client_cert_data = certs(&mut BufReader::new(file)).map_err(|_| {
                    error::Error::Io(Error::new(ErrorKind::InvalidInput, "invalid cert"))
                })?;
+
+                let client_cert_data = client_cert_data
+                    .into_iter()
+                    .map(Certificate)
+                    .collect::<Vec<_>>();
+
                let client_cert_pass = PrivateKey(Vec::from(config.client_cert_pass()));
-                builder
-                    .set_single_client_cert(client_cert_data, client_cert_pass)
-                    .map_err(|err| error::Error::Io(Error::new(ErrorKind::InvalidInput, err)))?;
+
                log::info!(
                    "Using {} for client certificate authentication.",
                    client_cert_path
                );
+
+                ClientAuth::SingleCert(client_cert_data, client_cert_pass)
            } else {
                return Err(error::Error::InvalidConfig {
                    path: config.path(),
@ -267,15 +271,68 @@ impl Connection {
                    },
                });
            }
+        } else {
+            ClientAuth::NoClientAuth
+        };
+
+        macro_rules! make_client_auth {
+            ($builder:expr) => {
+                match client_auth {
+                    ClientAuth::SingleCert(data, pass) => {
+                        $builder.with_single_cert(data, pass).map_err(|err| {
+                            error::Error::Io(Error::new(ErrorKind::InvalidInput, err))
+                        })?
+                    }
+                    ClientAuth::NoClientAuth => $builder.with_no_client_auth(),
+                }
+            };
        }

-        if config.dangerously_accept_invalid_certs() {
-            builder.dangerous().set_certificate_verifier(Arc::new(DangerousAcceptAllVerifier));
-        }
+        let builder = ClientConfig::builder()
+            .with_safe_default_cipher_suites()
+            .with_safe_default_kx_groups()
+            .with_safe_default_protocol_versions()?;

-        let connector = TlsConnector::from(Arc::new(builder));
-        let domain = DNSNameRef::try_from_ascii_str(config.server()?)?;
+        let tls_config = if config.dangerously_accept_invalid_certs() {
+            let builder =
+                builder.with_custom_certificate_verifier(Arc::new(DangerousAcceptAllVerifier));
+            make_client_auth!(builder)
+        } else {
+            let mut root_store = RootCertStore::empty();

+            root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(
+                |ta| {
+                    OwnedTrustAnchor::from_subject_spki_name_constraints(
+                        ta.subject,
+                        ta.spki,
+                        ta.name_constraints,
+                    )
+                },
+            ));
+
+            if let Some(cert_path) = config.cert_path() {
+                if let Ok(data) = std::fs::read(cert_path) {
+                    root_store.add(&Certificate(data)).map_err(|_| {
+                        error::Error::Io(Error::new(ErrorKind::InvalidInput, "invalid cert"))
+                    })?;
+
+                    log::info!("Added {} to trusted certificates.", cert_path);
+                } else {
+                    return Err(error::Error::InvalidConfig {
+                        path: config.path(),
+                        cause: error::ConfigError::FileMissing {
+                            file: cert_path.to_string(),
+                        },
+                    });
+                }
+            }
+
+            let builder = builder.with_root_certificates(root_store);
+            make_client_auth!(builder)
+        };
+
+        let connector = TlsConnector::from(Arc::new(tls_config));
+        let domain = ServerName::try_from(config.server()?)?;
        let stream = Self::new_stream(config).await?;
        let stream = connector.connect(domain, stream).await?;
        let framed = Framed::new(stream, IrcCodec::new(config.encoding())?);
@ -371,19 +428,3 @@ impl Sink<Message> for Connection {
        }
    }
 }
-
-#[cfg(feature = "tls-rust")]
-struct DangerousAcceptAllVerifier;
-
-#[cfg(feature = "tls-rust")]
-impl rustls::ServerCertVerifier for DangerousAcceptAllVerifier {
-    fn verify_server_cert(
-        &self,
-        _: &rustls::RootCertStore,
-        _: &[rustls::Certificate],
-        _: DNSNameRef,
-        _: &[u8]
-    ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-        return Ok(rustls::ServerCertVerified::assertion());
-    }
-}
--- a/src/client/data/config.rs
+++ b/src/client/data/config.rs
@ -523,7 +523,10 @@ impl Config {
    /// Gets whether or not to dangerously accept invalid certificates.
    /// This defaults to `false` when not specified.
    pub fn dangerously_accept_invalid_certs(&self) -> bool {
-        self.dangerously_accept_invalid_certs.as_ref().cloned().unwrap_or(false)
+        self.dangerously_accept_invalid_certs
+            .as_ref()
+            .cloned()
+            .unwrap_or(false)
    }

    /// Gets the path to the client authentication certificate in DER format if specified.
--- a/src/error.rs
+++ b/src/error.rs
@ -5,9 +5,8 @@ use std::sync::mpsc::RecvError;

 use thiserror::Error;
 use tokio::sync::mpsc::error::{SendError, TrySendError};
-
 #[cfg(feature = "tls-rust")]
-use tokio_rustls::webpki::InvalidDNSNameError;
+use tokio_rustls::rustls::client::InvalidDnsNameError;

 use crate::proto::error::{MessageParseError, ProtocolError};

@ -19,26 +18,51 @@ pub type Result<T, E = Error> = std::result::Result<T, E>;
 pub enum Error {
    /// An internal I/O error.
    #[error("an io error occurred")]
-    Io(#[source] IoError),
+    Io(
+        #[source]
+        #[from]
+        IoError,
+    ),

    /// An internal proxy error.
    #[cfg(feature = "proxy")]
    #[error("a proxy error occurred")]
-    Proxy(tokio_socks::Error),
+    Proxy(#[from] tokio_socks::Error),

    /// An internal TLS error.
-    #[cfg(feature = "tls-native")]
+    #[cfg(all(feature = "tls-native", not(feature = "tls-rust")))]
    #[error("a TLS error occurred")]
-    Tls(#[source] native_tls::Error),
+    Tls(
+        #[source]
+        #[from]
+        native_tls::Error,
+    ),

-    /// An internal DNS error.
+    /// An internal TLS error.
    #[cfg(feature = "tls-rust")]
-    #[error("a DNS error occurred")]
-    Dns(#[source] InvalidDNSNameError),
+    #[error("a TLS error occurred")]
+    Tls(
+        #[source]
+        #[from]
+        tokio_rustls::rustls::Error,
+    ),
+
+    /// An invalid DNS name was specified.
+    #[cfg(feature = "tls-rust")]
+    #[error("invalid DNS name")]
+    InvalidDnsNameError(
+        #[source]
+        #[from]
+        InvalidDnsNameError,
+    ),

    /// An internal synchronous channel closed.
    #[error("a sync channel closed")]
-    SyncChannelClosed(#[source] RecvError),
+    SyncChannelClosed(
+        #[source]
+        #[from]
+        RecvError,
+    ),

    /// An internal asynchronous channel closed.
    #[error("an async channel closed")]
@ -176,39 +200,6 @@ impl From<ProtocolError> for Error {
    }
 }

-impl From<IoError> for Error {
-    fn from(e: IoError) -> Error {
-        Error::Io(e)
-    }
-}
-
-#[cfg(feature = "proxy")]
-impl From<tokio_socks::Error> for Error {
-    fn from(e: tokio_socks::Error) -> Error {
-        Error::Proxy(e)
-    }
-}
-
-#[cfg(feature = "tls-native")]
-impl From<native_tls::Error> for Error {
-    fn from(e: native_tls::Error) -> Error {
-        Error::Tls(e)
-    }
-}
-
-#[cfg(feature = "tls-rust")]
-impl From<InvalidDNSNameError> for Error {
-    fn from(e: InvalidDNSNameError) -> Error {
-        Error::Dns(e)
-    }
-}
-
-impl From<RecvError> for Error {
-    fn from(e: RecvError) -> Error {
-        Error::SyncChannelClosed(e)
-    }
-}
-
 impl<T> From<SendError<T>> for Error {
    fn from(_: SendError<T>) -> Error {
        Error::AsyncChannelClosed