searchengines-web/MeiliSearch
searchengines-web/MeiliSearch
1
0
Fork 0
mirror of https://github.com/meilisearch/MeiliSearch synced 2024-09-19 15:11:45 +02:00
Code Issues Releases Wiki Activity

Update rustls as much as possible

Browse Source
This commit is contained in:
Tamo 2024-07-17 14:27:29 +02:00
parent 7a292b572a
commit 1bfb16386c
4 changed files with 52 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
Cargo.lock generated
View File

@ -149,11 +149,11 @@ dependencies = [
"futures-core", "futures-core",
"impl-more", "impl-more",
"pin-project-lite", "pin-project-lite",
"rustls-pki-types",
"tokio", "tokio",
"tokio-rustls 0.24.1", "tokio-rustls",
"tokio-util", "tokio-util",
"tracing", "tracing",
"webpki-roots 0.25.3",
] ]
[[package]] [[package]]
@ -2461,12 +2461,12 @@ dependencies = [
"http 1.1.0", "http 1.1.0",
"hyper", "hyper",
"hyper-util", "hyper-util",
"rustls 0.23.11", "rustls",
"rustls-pki-types", "rustls-pki-types",
"tokio", "tokio",
"tokio-rustls 0.26.0", "tokio-rustls",
"tower-service", "tower-service",
"webpki-roots 0.26.1", "webpki-roots",
] ]
[[package]] [[package]]
@ -3395,8 +3395,9 @@ dependencies = [
"regex", "regex",
"reqwest", "reqwest",
"roaring", "roaring",
"rustls 0.21.12", "rustls",
"rustls-pemfile 1.0.4", "rustls-pemfile",
"rustls-pki-types",
"segment", "segment",
"serde", "serde",
"serde_json", "serde_json",
@ -4272,7 +4273,7 @@ dependencies = [
"quinn-proto", "quinn-proto",
"quinn-udp", "quinn-udp",
"rustc-hash", "rustc-hash",
"rustls 0.23.11", "rustls",
"thiserror", "thiserror",
"tokio", "tokio",
"tracing", "tracing",
@ -4288,7 +4289,7 @@ dependencies = [
"rand", "rand",
"ring", "ring",
"rustc-hash", "rustc-hash",
"rustls 0.23.11", "rustls",
"slab", "slab",
"thiserror", "thiserror",
"tinyvec", "tinyvec",
@ -4516,15 +4517,15 @@ dependencies = [
"percent-encoding", "percent-encoding",
"pin-project-lite", "pin-project-lite",
"quinn", "quinn",
"rustls 0.23.11", "rustls",
"rustls-pemfile 2.1.2", "rustls-pemfile",
"rustls-pki-types", "rustls-pki-types",
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
"sync_wrapper", "sync_wrapper",
"tokio", "tokio",
"tokio-rustls 0.26.0", "tokio-rustls",
"tokio-util", "tokio-util",
"tower-service", "tower-service",
"url", "url",
@ -4532,7 +4533,7 @@ dependencies = [
"wasm-bindgen-futures", "wasm-bindgen-futures",
"wasm-streams", "wasm-streams",
"web-sys", "web-sys",
"webpki-roots 0.26.1", "webpki-roots",
"winreg", "winreg",
] ]
@ -4682,18 +4683,6 @@ dependencies = [
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
[[package]]
name = "rustls"
version = "0.21.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
dependencies = [
"log",
"ring",
"rustls-webpki 0.101.7",
"sct",
]
[[package]] [[package]]
name = "rustls" name = "rustls"
version = "0.23.11" version = "0.23.11"
@ -4704,20 +4693,11 @@ dependencies = [
"once_cell", "once_cell",
"ring", "ring",
"rustls-pki-types", "rustls-pki-types",
"rustls-webpki 0.102.5", "rustls-webpki",
"subtle", "subtle",
"zeroize", "zeroize",
] ]
[[package]]
name = "rustls-pemfile"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
dependencies = [
"base64 0.21.7",
]
[[package]] [[package]]
name = "rustls-pemfile" name = "rustls-pemfile"
version = "2.1.2" version = "2.1.2"
@ -4734,16 +4714,6 @@ version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
[[package]]
name = "rustls-webpki"
version = "0.101.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
dependencies = [
"ring",
"untrusted",
]
[[package]] [[package]]
name = "rustls-webpki" name = "rustls-webpki"
version = "0.102.5" version = "0.102.5"
@ -4792,16 +4762,6 @@ version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]]
name = "sct"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
dependencies = [
"ring",
"untrusted",
]
[[package]] [[package]]
name = "seahash" name = "seahash"
version = "4.1.0" version = "4.1.0"
@ -5482,23 +5442,13 @@ dependencies = [
"syn 2.0.60", "syn 2.0.60",
] ]
[[package]]
name = "tokio-rustls"
version = "0.24.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
dependencies = [
"rustls 0.21.12",
"tokio",
]
[[package]] [[package]]
name = "tokio-rustls" name = "tokio-rustls"
version = "0.26.0" version = "0.26.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
dependencies = [ dependencies = [
"rustls 0.23.11", "rustls",
"rustls-pki-types", "rustls-pki-types",
"tokio", "tokio",
] ]
@ -5804,13 +5754,13 @@ dependencies = [
"flate2", "flate2",
"log", "log",
"once_cell", "once_cell",
"rustls 0.23.11", "rustls",
"rustls-pki-types", "rustls-pki-types",
"serde", "serde",
"serde_json", "serde_json",
"socks", "socks",
"url", "url",
"webpki-roots 0.26.1", "webpki-roots",
] ]
[[package]] [[package]]
@ -6035,12 +5985,6 @@ dependencies = [
"wasm-bindgen", "wasm-bindgen",
] ]
[[package]]
name = "webpki-roots"
version = "0.25.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
[[package]] [[package]]
name = "webpki-roots" name = "webpki-roots"
version = "0.26.1" version = "0.26.1"

9
meilisearch/Cargo.toml
View File

@ -17,7 +17,7 @@ actix-cors = "0.7.0"
actix-http = { version = "3.8.0", default-features = false, features = [ actix-http = { version = "3.8.0", default-features = false, features = [
"compress-brotli", "compress-brotli",
"compress-gzip", "compress-gzip",
"rustls-0_21", "rustls-0_23",
] } ] }
actix-utils = "3.0.1" actix-utils = "3.0.1"
actix-web = { version = "4.8.0", default-features = false, features = [ actix-web = { version = "4.8.0", default-features = false, features = [
@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [
"compress-brotli", "compress-brotli",
"compress-gzip", "compress-gzip",
"cookies", "cookies",
"rustls-0_21", "rustls-0_23",
] } ] }
anyhow = { version = "1.0.86", features = ["backtrace"] } anyhow = { version = "1.0.86", features = ["backtrace"] }
async-trait = "0.1.81" async-trait = "0.1.81"
@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [
"rustls-tls", "rustls-tls",
"json", "json",
], default-features = false } ], default-features = false }
rustls = "0.21.12" rustls = { version = "0.23.11", features = ["ring"], default-features = false }
rustls-pemfile = "1.0.4" rustls-pki-types = { version = "1.7.0", features = ["alloc"] }
rustls-pemfile = "2.1.2"
segment = { version = "0.2.4", optional = true } segment = { version = "0.2.4", optional = true }
serde = { version = "1.0.204", features = ["derive"] } serde = { version = "1.0.204", features = ["derive"] }
serde_json = { version = "1.0.120", features = ["preserve_order"] } serde_json = { version = "1.0.120", features = ["preserve_order"] }

2
meilisearch/src/main.rs
View File

@ -151,7 +151,7 @@ async fn run_http(
.keep_alive(KeepAlive::Os); .keep_alive(KeepAlive::Os);
if let Some(config) = opt_clone.get_ssl_config()? { if let Some(config) = opt_clone.get_ssl_config()? {
http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?; http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?;
} else { } else {
http_server.bind(&opt_clone.http_addr)?.run().await?; http_server.bind(&opt_clone.http_addr)?.run().await?;
} }

53
meilisearch/src/option.rs
View File

@ -14,11 +14,9 @@ use clap::Parser;
use meilisearch_types::features::InstanceTogglableFeatures; use meilisearch_types::features::InstanceTogglableFeatures;
use meilisearch_types::milli::update::IndexerConfig; use meilisearch_types::milli::update::IndexerConfig;
use meilisearch_types::milli::ThreadPoolNoAbortBuilder; use meilisearch_types::milli::ThreadPoolNoAbortBuilder;
use rustls::server::{ use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier};
AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache,
};
use rustls::RootCertStore; use rustls::RootCertStore;
use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys}; use rustls_pemfile::{certs, rsa_private_keys};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sysinfo::{MemoryRefreshKind, RefreshKind, System}; use sysinfo::{MemoryRefreshKind, RefreshKind, System};
use url::Url; use url::Url;
@ -569,23 +567,21 @@ impl Opt {
pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> { pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> {
if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) { if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
let config = rustls::ServerConfig::builder().with_safe_defaults(); let config = rustls::ServerConfig::builder();
let config = match &self.ssl_auth_path { let config = match &self.ssl_auth_path {
Some(auth_path) => { Some(auth_path) => {
let roots = load_certs(auth_path.to_path_buf())?; let roots = load_certs(auth_path.to_path_buf())?;
let mut client_auth_roots = RootCertStore::empty(); let mut client_auth_roots = RootCertStore::empty();
for root in roots { for root in roots {
client_auth_roots.add(&root).unwrap(); client_auth_roots.add(root).unwrap();
} }
if self.ssl_require_auth { let mut client_verifier =
let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots); WebPkiClientVerifier::builder(client_auth_roots.into());
config.with_client_cert_verifier(Arc::from(verifier)) if !self.ssl_require_auth {
} else { client_verifier = client_verifier.allow_unauthenticated();
let verifier =
AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots);
config.with_client_cert_verifier(Arc::from(verifier))
} }
config.with_client_cert_verifier(client_verifier.build()?)
} }
None => config.with_no_client_auth(), None => config.with_no_client_auth(),
}; };
@ -594,7 +590,7 @@ impl Opt {
let privkey = load_private_key(key_path.to_path_buf())?; let privkey = load_private_key(key_path.to_path_buf())?;
let ocsp = load_ocsp(&self.ssl_ocsp_path)?; let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
let mut config = config let mut config = config
.with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![]) .with_single_cert_with_ocsp(certs, privkey, ocsp)
.map_err(|_| anyhow::anyhow!("bad certificates/private key"))?; .map_err(|_| anyhow::anyhow!("bad certificates/private key"))?;
config.key_log = Arc::new(rustls::KeyLogFile::new()); config.key_log = Arc::new(rustls::KeyLogFile::new());
@ -604,7 +600,7 @@ impl Opt {
} }
if self.ssl_tickets { if self.ssl_tickets {
config.ticketer = rustls::Ticketer::new().unwrap(); config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
} }
Ok(Some(config)) Ok(Some(config))
@ -769,21 +765,26 @@ impl Deref for MaxThreads {
} }
} }
fn load_certs(filename: PathBuf) -> anyhow::Result<Vec<rustls::Certificate>> { fn load_certs(
filename: PathBuf,
) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
let certfile = let certfile =
fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?; fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?;
let mut reader = BufReader::new(certfile); let mut reader = BufReader::new(certfile);
certs(&mut reader) certs(&mut reader)
.map(|certs| certs.into_iter().map(rustls::Certificate).collect()) .collect::<Result<Vec<_>, _>>()
.map_err(|_| anyhow::anyhow!("cannot read certificate file")) .map_err(|_| anyhow::anyhow!("cannot read certificate file"))
} }
fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> { fn load_private_key(
filename: PathBuf,
) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> {
let rsa_keys = { let rsa_keys = {
let keyfile = fs::File::open(filename.clone()) let keyfile = fs::File::open(filename.clone())
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?; .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
let mut reader = BufReader::new(keyfile); let mut reader = BufReader::new(keyfile);
rsa_private_keys(&mut reader) rsa_private_keys(&mut reader)
.collect::<Result<Vec<_>, _>>()
.map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))? .map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))?
}; };
@ -791,19 +792,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
let keyfile = fs::File::open(filename) let keyfile = fs::File::open(filename)
.map_err(|_| anyhow::anyhow!("cannot open private key file"))?; .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
let mut reader = BufReader::new(keyfile); let mut reader = BufReader::new(keyfile);
pkcs8_private_keys(&mut reader).map_err(|_| { rustls_pemfile::pkcs8_private_keys(&mut reader).collect::<Result<Vec<_>, _>>().map_err(
anyhow::anyhow!( |_| {
"file contains invalid pkcs8 private key (encrypted keys not supported)" anyhow::anyhow!(
) "file contains invalid pkcs8 private key (encrypted keys not supported)"
})? )
},
)?
}; };
// prefer to load pkcs8 keys // prefer to load pkcs8 keys
if !pkcs8_keys.is_empty() { if !pkcs8_keys.is_empty() {
Ok(rustls::PrivateKey(pkcs8_keys[0].clone())) Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key()))
} else { } else {
assert!(!rsa_keys.is_empty()); assert!(!rsa_keys.is_empty());
Ok(rustls::PrivateKey(rsa_keys[0].clone())) Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key()))
} }
} }