Merge #4806

4806: Update rustls as much as possible r=Kerollmops a=irevoire # Pull Request ## Related issue Part of https://github.com/meilisearch/meilisearch/issues/4753 ## What does this PR do? - Update rustls as much as possible ## What is missing In rustls-0.22.0 two structures we were using have been removed with no explanation or workaround <img width="518" alt="image" src="https://github.com/user-attachments/assets/fa112db1-3400-4163-8819-7913f22d6b87"> Co-authored-by: Tamo <tamo@meilisearch.com>
2024-09-16 21:51:46 +02:00 · 2024-07-17 17:00:01 +00:00 · 2024-07-17 17:00:01 +00:00 · 6e9d0de8b7
commit 6e9d0de8b7
parent ea73615abf 1bfb16386c
4 changed files with 52 additions and 104 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -149,11 +149,11 @@ dependencies = [
 "futures-core",
 "impl-more",
 "pin-project-lite",
+ "rustls-pki-types",
 "tokio",
- "tokio-rustls 0.24.1",
+ "tokio-rustls",
 "tokio-util",
 "tracing",
- "webpki-roots 0.25.3",
 ]

 [[package]]
@ -2461,12 +2461,12 @@ dependencies = [
 "http 1.1.0",
 "hyper",
 "hyper-util",
- "rustls 0.23.11",
+ "rustls",
 "rustls-pki-types",
 "tokio",
- "tokio-rustls 0.26.0",
+ "tokio-rustls",
 "tower-service",
- "webpki-roots 0.26.1",
+ "webpki-roots",
 ]

 [[package]]
@ -3395,8 +3395,9 @@ dependencies = [
 "regex",
 "reqwest",
 "roaring",
- "rustls 0.21.12",
- "rustls-pemfile 1.0.4",
+ "rustls",
+ "rustls-pemfile",
+ "rustls-pki-types",
 "segment",
 "serde",
 "serde_json",
@ -4273,7 +4274,7 @@ dependencies = [
 "quinn-proto",
 "quinn-udp",
 "rustc-hash",
- "rustls 0.23.11",
+ "rustls",
 "thiserror",
 "tokio",
 "tracing",
@ -4289,7 +4290,7 @@ dependencies = [
 "rand",
 "ring",
 "rustc-hash",
- "rustls 0.23.11",
+ "rustls",
 "slab",
 "thiserror",
 "tinyvec",
@ -4517,15 +4518,15 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "quinn",
- "rustls 0.23.11",
- "rustls-pemfile 2.1.2",
+ "rustls",
+ "rustls-pemfile",
 "rustls-pki-types",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "sync_wrapper",
 "tokio",
- "tokio-rustls 0.26.0",
+ "tokio-rustls",
 "tokio-util",
 "tower-service",
 "url",
@ -4533,7 +4534,7 @@ dependencies = [
 "wasm-bindgen-futures",
 "wasm-streams",
 "web-sys",
- "webpki-roots 0.26.1",
+ "webpki-roots",
 "winreg",
 ]

@ -4683,18 +4684,6 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

-[[package]]
-name = "rustls"
-version = "0.21.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
-dependencies = [
- "log",
- "ring",
- "rustls-webpki 0.101.7",
- "sct",
-]
-
 [[package]]
 name = "rustls"
 version = "0.23.11"
@ -4705,20 +4694,11 @@ dependencies = [
 "once_cell",
 "ring",
 "rustls-pki-types",
- "rustls-webpki 0.102.5",
+ "rustls-webpki",
 "subtle",
 "zeroize",
 ]

-[[package]]
-name = "rustls-pemfile"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
-dependencies = [
- "base64 0.21.7",
-]
-
 [[package]]
 name = "rustls-pemfile"
 version = "2.1.2"
@ -4735,16 +4715,6 @@ version = "1.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"

-[[package]]
-name = "rustls-webpki"
-version = "0.101.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "rustls-webpki"
 version = "0.102.5"
@ -4793,16 +4763,6 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

-[[package]]
-name = "sct"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "seahash"
 version = "4.1.0"
@ -5483,23 +5443,13 @@ dependencies = [
 "syn 2.0.60",
 ]

-[[package]]
-name = "tokio-rustls"
-version = "0.24.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
-dependencies = [
- "rustls 0.21.12",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
- "rustls 0.23.11",
+ "rustls",
 "rustls-pki-types",
 "tokio",
 ]
@ -5805,13 +5755,13 @@ dependencies = [
 "flate2",
 "log",
 "once_cell",
- "rustls 0.23.11",
+ "rustls",
 "rustls-pki-types",
 "serde",
 "serde_json",
 "socks",
 "url",
- "webpki-roots 0.26.1",
+ "webpki-roots",
 ]

 [[package]]
@ -6036,12 +5986,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "webpki-roots"
-version = "0.25.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
-
 [[package]]
 name = "webpki-roots"
 version = "0.26.1"
--- a/meilisearch/Cargo.toml
+++ b/meilisearch/Cargo.toml
@ -17,7 +17,7 @@ actix-cors = "0.7.0"
 actix-http = { version = "3.8.0", default-features = false, features = [
    "compress-brotli",
    "compress-gzip",
-    "rustls-0_21",
+    "rustls-0_23",
 ] }
 actix-utils = "3.0.1"
 actix-web = { version = "4.8.0", default-features = false, features = [
@ -25,7 +25,7 @@ actix-web = { version = "4.8.0", default-features = false, features = [
    "compress-brotli",
    "compress-gzip",
    "cookies",
-    "rustls-0_21",
+    "rustls-0_23",
 ] }
 anyhow = { version = "1.0.86", features = ["backtrace"] }
 async-trait = "0.1.81"
@ -72,8 +72,9 @@ reqwest = { version = "0.12.5", features = [
    "rustls-tls",
    "json",
 ], default-features = false }
-rustls = "0.21.12"
-rustls-pemfile = "1.0.4"
+rustls = { version = "0.23.11", features = ["ring"], default-features = false }
+rustls-pki-types = { version = "1.7.0", features = ["alloc"] }
+rustls-pemfile = "2.1.2"
 segment = { version = "0.2.4", optional = true }
 serde = { version = "1.0.204", features = ["derive"] }
 serde_json = { version = "1.0.120", features = ["preserve_order"] }
--- a/meilisearch/src/main.rs
+++ b/meilisearch/src/main.rs
@ -151,7 +151,7 @@ async fn run_http(
    .keep_alive(KeepAlive::Os);

    if let Some(config) = opt_clone.get_ssl_config()? {
-        http_server.bind_rustls_021(opt_clone.http_addr, config)?.run().await?;
+        http_server.bind_rustls_0_23(opt_clone.http_addr, config)?.run().await?;
    } else {
        http_server.bind(&opt_clone.http_addr)?.run().await?;
    }
--- a/meilisearch/src/option.rs
+++ b/meilisearch/src/option.rs
@ -14,11 +14,9 @@ use clap::Parser;
 use meilisearch_types::features::InstanceTogglableFeatures;
 use meilisearch_types::milli::update::IndexerConfig;
 use meilisearch_types::milli::ThreadPoolNoAbortBuilder;
-use rustls::server::{
-    AllowAnyAnonymousOrAuthenticatedClient, AllowAnyAuthenticatedClient, ServerSessionMemoryCache,
-};
+use rustls::server::{ServerSessionMemoryCache, WebPkiClientVerifier};
 use rustls::RootCertStore;
-use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
+use rustls_pemfile::{certs, rsa_private_keys};
 use serde::{Deserialize, Serialize};
 use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 use url::Url;
@ -582,23 +580,21 @@ impl Opt {

    pub fn get_ssl_config(&self) -> anyhow::Result<Option<rustls::ServerConfig>> {
        if let (Some(cert_path), Some(key_path)) = (&self.ssl_cert_path, &self.ssl_key_path) {
-            let config = rustls::ServerConfig::builder().with_safe_defaults();
+            let config = rustls::ServerConfig::builder();

            let config = match &self.ssl_auth_path {
                Some(auth_path) => {
                    let roots = load_certs(auth_path.to_path_buf())?;
                    let mut client_auth_roots = RootCertStore::empty();
                    for root in roots {
-                        client_auth_roots.add(&root).unwrap();
+                        client_auth_roots.add(root).unwrap();
                    }
-                    if self.ssl_require_auth {
-                        let verifier = AllowAnyAuthenticatedClient::new(client_auth_roots);
-                        config.with_client_cert_verifier(Arc::from(verifier))
-                    } else {
-                        let verifier =
-                            AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots);
-                        config.with_client_cert_verifier(Arc::from(verifier))
+                    let mut client_verifier =
+                        WebPkiClientVerifier::builder(client_auth_roots.into());
+                    if !self.ssl_require_auth {
+                        client_verifier = client_verifier.allow_unauthenticated();
                    }
+                    config.with_client_cert_verifier(client_verifier.build()?)
                }
                None => config.with_no_client_auth(),
            };
@ -607,7 +603,7 @@ impl Opt {
            let privkey = load_private_key(key_path.to_path_buf())?;
            let ocsp = load_ocsp(&self.ssl_ocsp_path)?;
            let mut config = config
-                .with_single_cert_with_ocsp_and_sct(certs, privkey, ocsp, vec![])
+                .with_single_cert_with_ocsp(certs, privkey, ocsp)
                .map_err(|_| anyhow::anyhow!("bad certificates/private key"))?;

            config.key_log = Arc::new(rustls::KeyLogFile::new());
@ -617,7 +613,7 @@ impl Opt {
            }

            if self.ssl_tickets {
-                config.ticketer = rustls::Ticketer::new().unwrap();
+                config.ticketer = rustls::crypto::ring::Ticketer::new().unwrap();
            }

            Ok(Some(config))
@ -783,21 +779,26 @@ impl Deref for MaxThreads {
    }
 }

-fn load_certs(filename: PathBuf) -> anyhow::Result<Vec<rustls::Certificate>> {
+fn load_certs(
+    filename: PathBuf,
+) -> anyhow::Result<Vec<rustls::pki_types::CertificateDer<'static>>> {
    let certfile =
        fs::File::open(filename).map_err(|_| anyhow::anyhow!("cannot open certificate file"))?;
    let mut reader = BufReader::new(certfile);
    certs(&mut reader)
-        .map(|certs| certs.into_iter().map(rustls::Certificate).collect())
+        .collect::<Result<Vec<_>, _>>()
        .map_err(|_| anyhow::anyhow!("cannot read certificate file"))
 }

-fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
+fn load_private_key(
+    filename: PathBuf,
+) -> anyhow::Result<rustls::pki_types::PrivateKeyDer<'static>> {
    let rsa_keys = {
        let keyfile = fs::File::open(filename.clone())
            .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
        let mut reader = BufReader::new(keyfile);
        rsa_private_keys(&mut reader)
+            .collect::<Result<Vec<_>, _>>()
            .map_err(|_| anyhow::anyhow!("file contains invalid rsa private key"))?
    };

@ -805,19 +806,21 @@ fn load_private_key(filename: PathBuf) -> anyhow::Result<rustls::PrivateKey> {
        let keyfile = fs::File::open(filename)
            .map_err(|_| anyhow::anyhow!("cannot open private key file"))?;
        let mut reader = BufReader::new(keyfile);
-        pkcs8_private_keys(&mut reader).map_err(|_| {
-            anyhow::anyhow!(
-                "file contains invalid pkcs8 private key (encrypted keys not supported)"
-            )
-        })?
+        rustls_pemfile::pkcs8_private_keys(&mut reader).collect::<Result<Vec<_>, _>>().map_err(
+            |_| {
+                anyhow::anyhow!(
+                    "file contains invalid pkcs8 private key (encrypted keys not supported)"
+                )
+            },
+        )?
    };

    // prefer to load pkcs8 keys
    if !pkcs8_keys.is_empty() {
-        Ok(rustls::PrivateKey(pkcs8_keys[0].clone()))
+        Ok(rustls::pki_types::PrivateKeyDer::Pkcs8(pkcs8_keys[0].clone_key()))
    } else {
        assert!(!rsa_keys.is_empty());
-        Ok(rustls::PrivateKey(rsa_keys[0].clone()))
+        Ok(rustls::pki_types::PrivateKeyDer::Pkcs1(rsa_keys[0].clone_key()))
    }
 }