From 3622aea96db7e1c85cb71ee4b30f872fcdc33fa9 Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Mon, 18 Oct 2021 21:36:44 -0400 Subject: [PATCH 01/17] port test_util to rustls 0.20 --- Cargo.lock | 131 +++++++++++++++++++++++++++++++++++-------- test_util/Cargo.toml | 5 +- test_util/src/lib.rs | 44 +++++++++------ 3 files changed, 138 insertions(+), 42 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9db17c3051e04..666c69d4d44bc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -974,10 +974,10 @@ dependencies = [ "deno_core", "lazy_static", "reqwest", - "rustls", + "rustls 0.19.1", "rustls-native-certs", "serde", - "webpki", + "webpki 0.21.4", "webpki-roots", ] @@ -1034,8 +1034,8 @@ dependencies = [ "hyper", "serde", "tokio", - "tokio-rustls", - "tokio-tungstenite", + "tokio-rustls 0.22.0", + "tokio-tungstenite 0.14.0", ] [[package]] @@ -1814,10 +1814,10 @@ dependencies = [ "futures-util", "hyper", "log", - "rustls", + "rustls 0.19.1", "tokio", - "tokio-rustls", - "webpki", + "tokio-rustls 0.22.0", + "webpki 0.21.4", ] [[package]] @@ -2981,12 +2981,12 @@ dependencies = [ "mime", "percent-encoding", "pin-project-lite", - "rustls", + "rustls 0.19.1", "serde", "serde_json", "serde_urlencoded", "tokio", - "tokio-rustls", + "tokio-rustls 0.22.0", "tokio-util", "url", "wasm-bindgen", @@ -3106,8 +3106,20 @@ dependencies = [ "base64 0.13.0", "log", "ring", - "sct", - "webpki", + "sct 0.6.1", + "webpki 0.21.4", +] + +[[package]] +name = "rustls" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b5ac6078ca424dc1d3ae2328526a76787fecc7f8011f520e3276730e711fc95" +dependencies = [ + "log", + "ring", + "sct 0.7.0", + "webpki 0.22.0", ] [[package]] @@ -3117,11 +3129,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" dependencies = [ "openssl-probe", - "rustls", + "rustls 0.19.1", "schannel", "security-framework", ] +[[package]] +name = "rustls-pemfile" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +dependencies = [ + "base64 0.13.0", +] + [[package]] name = "rusty_v8" version = "0.32.0" @@ -3215,6 +3236,16 @@ dependencies = [ "untrusted", ] +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "security-framework" version = "2.3.1" @@ -4033,12 +4064,13 @@ dependencies = [ "os_pipe", "pty", "regex", + "rustls-pemfile", "serde", "serde_json", "tempfile", "tokio", - "tokio-rustls", - "tokio-tungstenite", + "tokio-rustls 0.23.0", + "tokio-tungstenite 0.15.0", "winapi 0.3.9", ] @@ -4149,9 +4181,20 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" dependencies = [ - "rustls", + "rustls 0.19.1", + "tokio", + "webpki 0.21.4", +] + +[[package]] +name = "tokio-rustls" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d49194a46b06a69f2498a34a595ab4a9c1babd2642ffa3dbccf6c6778d1426f2" +dependencies = [ + "rustls 0.20.0", "tokio", - "webpki", + "webpki 0.22.0", ] [[package]] @@ -4174,14 +4217,27 @@ dependencies = [ "futures-util", "log", "pin-project", - "rustls", + "rustls 0.19.1", "tokio", - "tokio-rustls", - "tungstenite", - "webpki", + "tokio-rustls 0.22.0", + "tungstenite 0.13.0", + "webpki 0.21.4", "webpki-roots", ] +[[package]] +name = "tokio-tungstenite" +version = "0.15.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "511de3f85caf1c98983545490c3d09685fa8eb634e57eec22bb4db271f46cbd8" +dependencies = [ + "futures-util", + "log", + "pin-project", + "tokio", + "tungstenite 0.14.0", +] + [[package]] name = "tokio-util" version = "0.6.8" @@ -4353,15 +4409,34 @@ dependencies = [ "input_buffer", "log", "rand 0.8.4", - "rustls", + "rustls 0.19.1", "sha-1", "thiserror", "url", "utf-8", - "webpki", + "webpki 0.21.4", "webpki-roots", ] +[[package]] +name = "tungstenite" +version = "0.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0b2d8558abd2e276b0a8df5c05a2ec762609344191e5fd23e292c910e9165b5" +dependencies = [ + "base64 0.13.0", + "byteorder", + "bytes", + "http", + "httparse", + "log", + "rand 0.8.4", + "sha-1", + "thiserror", + "url", + "utf-8", +] + [[package]] name = "twoway" version = "0.2.2" @@ -4670,13 +4745,23 @@ dependencies = [ "untrusted", ] +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "webpki-roots" version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" dependencies = [ - "webpki", + "webpki 0.21.4", ] [[package]] diff --git a/test_util/Cargo.toml b/test_util/Cargo.toml index 92523ac817a97..b835cc7cb9a6d 100644 --- a/test_util/Cargo.toml +++ b/test_util/Cargo.toml @@ -21,12 +21,13 @@ hyper = { version = "0.14.12", features = ["server", "http1", "runtime"] } lazy_static = "1.4.0" os_pipe = "0.9.2" regex = "1.5.4" +rustls-pemfile = "0.2.1" serde = { version = "1.0.126", features = ["derive"] } serde_json = "1.0.65" tempfile = "3.2.0" tokio = { version = "1.10.1", features = ["full"] } -tokio-rustls = "0.22.0" -tokio-tungstenite = "0.14.0" +tokio-rustls = "0.23" +tokio-tungstenite = "0.15" [target.'cfg(unix)'.dependencies] pty = "0.2.2" diff --git a/test_util/src/lib.rs b/test_util/src/lib.rs index f20601340aeec..08d6496d64e1a 100644 --- a/test_util/src/lib.rs +++ b/test_util/src/lib.rs @@ -15,6 +15,8 @@ use hyper::StatusCode; use lazy_static::lazy_static; use os_pipe::pipe; use regex::Regex; +use rustls::Certificate; +use rustls::PrivateKey; use serde::Serialize; use std::collections::HashMap; use std::convert::Infallible; @@ -40,7 +42,7 @@ use tempfile::TempDir; use tokio::io::AsyncWriteExt; use tokio::net::TcpListener; use tokio::net::TcpStream; -use tokio_rustls::rustls::{self, Session}; +use tokio_rustls::rustls; use tokio_rustls::TlsAcceptor; use tokio_tungstenite::accept_async; @@ -303,21 +305,25 @@ async fn get_tls_config( let key_file = std::fs::File::open(key_path)?; let ca_file = std::fs::File::open(ca_path)?; - let mut cert_reader = io::BufReader::new(cert_file); - let cert = rustls::internal::pemfile::certs(&mut cert_reader) - .expect("Cannot load certificate"); + let certs: Vec = { + let mut cert_reader = io::BufReader::new(cert_file); + rustls_pemfile::certs(&mut cert_reader) + .unwrap() + .into_iter() + .map(Certificate) + .collect() + }; let mut ca_cert_reader = io::BufReader::new(ca_file); - let ca_cert = rustls::internal::pemfile::certs(&mut ca_cert_reader) + let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader) .expect("Cannot load CA certificate") .remove(0); let mut key_reader = io::BufReader::new(key_file); let key = { - let pkcs8_key = - rustls::internal::pemfile::pkcs8_private_keys(&mut key_reader) - .expect("Cannot load key file"); - let rsa_key = rustls::internal::pemfile::rsa_private_keys(&mut key_reader) + let pkcs8_key = rustls_pemfile::pkcs8_private_keys(&mut key_reader) + .expect("Cannot load key file"); + let rsa_key = rustls_pemfile::rsa_private_keys(&mut key_reader) .expect("Cannot load key file"); if !pkcs8_key.is_empty() { Some(pkcs8_key[0].clone()) @@ -331,13 +337,17 @@ async fn get_tls_config( match key { Some(key) => { let mut root_cert_store = rustls::RootCertStore::empty(); - root_cert_store.add(&ca_cert).unwrap(); + root_cert_store.add(&rustls::Certificate(ca_cert)).unwrap(); + // Allow (but do not require) client authentication. - let allow_client_auth = - rustls::AllowAnyAnonymousOrAuthenticatedClient::new(root_cert_store); - let mut config = rustls::ServerConfig::new(allow_client_auth); - config - .set_single_cert(cert, key) + let config = rustls::ServerConfig::builder() + .with_safe_defaults() + .with_client_cert_verifier( + rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new( + root_cert_store, + ), + ) + .with_single_cert(certs, PrivateKey(key)) .map_err(|e| { eprintln!("Error setting cert: {:?}", e); }) @@ -437,7 +447,7 @@ async fn run_tls_client_auth_server() { let (_, tls_session) = tls_stream.get_mut(); // We only need to check for the presence of client certificates // here. Rusttls ensures that they are valid and signed by the CA. - let response = match tls_session.get_peer_certificates() { + let response = match tls_session.peer_certificates() { Some(_certs) => b"PASS", None => b"FAIL", }; @@ -1018,7 +1028,7 @@ async fn wrap_client_auth_https_server() { let (_, tls_session) = tls_stream.get_mut(); // We only need to check for the presence of client certificates // here. Rusttls ensures that they are valid and signed by the CA. - match tls_session.get_peer_certificates() { + match tls_session.peer_certificates() { Some(_certs) => { yield Ok(tls_stream); }, None => { eprintln!("https_client_auth: no valid client certificate"); }, }; From dbaeda7569e89a97475e0430d93470f48b9874a3 Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Mon, 18 Oct 2021 22:55:13 -0400 Subject: [PATCH 02/17] port deno_tls but with unfortunate duplicated code... --- Cargo.lock | 22 ++++-- ext/tls/Cargo.toml | 7 +- ext/tls/lib.rs | 176 +++++++++++++++++++++++++-------------------- 3 files changed, 119 insertions(+), 86 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 666c69d4d44bc..625ff2b28c6d0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -974,11 +974,12 @@ dependencies = [ "deno_core", "lazy_static", "reqwest", - "rustls 0.19.1", + "rustls 0.20.0", "rustls-native-certs", + "rustls-pemfile", "serde", - "webpki 0.21.4", - "webpki-roots", + "webpki 0.22.0", + "webpki-roots 0.22.1", ] [[package]] @@ -2992,7 +2993,7 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots", + "webpki-roots 0.21.1", "winreg 0.7.0", ] @@ -4222,7 +4223,7 @@ dependencies = [ "tokio-rustls 0.22.0", "tungstenite 0.13.0", "webpki 0.21.4", - "webpki-roots", + "webpki-roots 0.21.1", ] [[package]] @@ -4415,7 +4416,7 @@ dependencies = [ "url", "utf-8", "webpki 0.21.4", - "webpki-roots", + "webpki-roots 0.21.1", ] [[package]] @@ -4764,6 +4765,15 @@ dependencies = [ "webpki 0.21.4", ] +[[package]] +name = "webpki-roots" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c475786c6f47219345717a043a37ec04cb4bc185e28853adcc4fa0a947eba630" +dependencies = [ + "webpki 0.22.0", +] + [[package]] name = "wgpu-core" version = "0.10.4" diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml index 000031555c80a..5b7946941e104 100644 --- a/ext/tls/Cargo.toml +++ b/ext/tls/Cargo.toml @@ -17,8 +17,9 @@ path = "lib.rs" deno_core = { version = "0.104.0", path = "../../core" } lazy_static = "1.4.0" reqwest = { version = "0.11.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } -rustls = { version = "0.19.1", features = ["dangerous_configuration"] } +rustls = { version = "0.20", features = ["dangerous_configuration"] } +rustls-pemfile = "0.2.1" rustls-native-certs = "0.5.0" serde = { version = "1.0.129", features = ["derive"] } -webpki = "0.21.4" -webpki-roots = "0.21.1" +webpki = "0.22" +webpki-roots = "0.22" diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 076ef59fb7eed..60e4f0f2282d1 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -17,27 +17,26 @@ use reqwest::header::HeaderMap; use reqwest::header::USER_AGENT; use reqwest::redirect::Policy; use reqwest::Client; -use rustls::internal::msgs::handshake::DigitallySignedStruct; -use rustls::internal::pemfile::certs; -use rustls::internal::pemfile::pkcs8_private_keys; -use rustls::internal::pemfile::rsa_private_keys; +use rustls::client::ServerCertVerified; +use rustls::client::ServerCertVerifier; +use rustls::client::StoresClientSessions; +use rustls::client::WebPkiVerifier; use rustls::Certificate; use rustls::ClientConfig; -use rustls::HandshakeSignatureValid; +use rustls::Error; use rustls::PrivateKey; use rustls::RootCertStore; -use rustls::ServerCertVerified; -use rustls::ServerCertVerifier; -use rustls::StoresClientSessions; -use rustls::TLSError; -use rustls::WebPKIVerifier; +use rustls::ServerName; +use rustls_pemfile::certs; +use rustls_pemfile::pkcs8_private_keys; +use rustls_pemfile::rsa_private_keys; use serde::Deserialize; use std::collections::HashMap; use std::io::BufRead; use std::io::BufReader; use std::io::Cursor; use std::sync::Arc; -use webpki::DNSNameRef; +use std::time::SystemTime; /// This extension has no runtime apis, it only exports some shared native functions. pub fn init() -> Extension { @@ -49,42 +48,33 @@ pub struct NoCertificateVerification(pub Vec); impl ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, - roots: &RootCertStore, - presented_certs: &[Certificate], - dns_name_ref: DNSNameRef<'_>, - ocsp: &[u8], - ) -> Result { - let dns_name: &str = dns_name_ref.into(); - let dns_name: String = dns_name.to_owned(); - if self.0.is_empty() || self.0.contains(&dns_name) { - Ok(ServerCertVerified::assertion()) + end_entity: &Certificate, + intermediates: &[Certificate], + server_name: &ServerName, + scts: &mut dyn Iterator, + ocsp_response: &[u8], + now: SystemTime, + ) -> Result { + if let ServerName::DnsName(dns_name) = server_name { + let dns_name = dns_name.as_ref().to_owned(); + if self.0.is_empty() || self.0.contains(&dns_name) { + Ok(ServerCertVerified::assertion()) + } else { + let root_store = create_default_root_cert_store(); + let verifier = WebPkiVerifier::new(root_store, None); + verifier.verify_server_cert( + end_entity, + intermediates, + server_name, + scts, + ocsp_response, + now, + ) + } } else { - WebPKIVerifier::new().verify_server_cert( - roots, - presented_certs, - dns_name_ref, - ocsp, - ) + todo!() } } - - fn verify_tls12_signature( - &self, - _message: &[u8], - _cert: &Certificate, - _dss: &DigitallySignedStruct, - ) -> Result { - Ok(HandshakeSignatureValid::assertion()) - } - - fn verify_tls13_signature( - &self, - _message: &[u8], - _cert: &Certificate, - _dss: &DigitallySignedStruct, - ) -> Result { - Ok(HandshakeSignatureValid::assertion()) - } } #[derive(Deserialize, Default, Debug, Clone)] @@ -130,7 +120,15 @@ impl StoresClientSessions for ClientSessionMemoryCache { pub fn create_default_root_cert_store() -> RootCertStore { let mut root_cert_store = RootCertStore::empty(); // TODO(@justinmchase): Consider also loading the system keychain here - root_cert_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS); + root_cert_store.add_server_trust_anchors( + webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + }), + ); root_cert_store } @@ -138,28 +136,63 @@ pub fn create_client_config( root_cert_store: Option, ca_certs: Vec>, unsafely_ignore_certificate_errors: Option>, + client_cert_chain_and_key: Option<(String, String)>, ) -> Result { - let mut tls_config = ClientConfig::new(); - tls_config.set_persistence(CLIENT_SESSION_MEMORY_CACHE.clone()); - tls_config.root_store = - root_cert_store.unwrap_or_else(create_default_root_cert_store); - - // If custom certs are specified, add them to the store - for cert in ca_certs { - let reader = &mut BufReader::new(Cursor::new(cert)); - // This function does not return specific errors, if it fails give a generic message. - if let Err(()) = tls_config.root_store.add_pem_file(reader) { - return Err(anyhow!("Unable to add pem file to certificate store")); - } - } + let b = ClientConfig::builder().with_safe_defaults(); if let Some(ic_allowlist) = unsafely_ignore_certificate_errors { - tls_config.dangerous().set_certificate_verifier(Arc::new( + let b = b.with_custom_certificate_verifier(Arc::new( NoCertificateVerification(ic_allowlist), )); - } - Ok(tls_config) + // TODO(ry) DUPLICATED CODE HERE. + Ok( + if let Some((cert_chain, private_key)) = client_cert_chain_and_key { + // The `remove` is safe because load_private_keys checks that there is at least one key. + let private_key = load_private_keys(private_key.as_bytes())?.remove(0); + + b.with_single_cert(load_certs(&mut cert_chain.as_bytes())?, private_key) + .expect("invalid client key or certificate") + } else { + b.with_no_client_auth() + }, + ) + } else { + let b = b.with_root_certificates({ + let mut root_cert_store = + root_cert_store.unwrap_or_else(create_default_root_cert_store); + // If custom certs are specified, add them to the store + for cert in ca_certs { + let reader = &mut BufReader::new(Cursor::new(cert)); + // This function does not return specific errors, if it fails give a generic message. + match rustls_pemfile::certs(reader) { + Ok(certs) => { + root_cert_store.add_parsable_certificates(&certs); + } + Err(e) => { + return Err(anyhow!( + "Unable to add pem file to certificate store: {}", + e + )); + } + } + } + root_cert_store + }); + + // TODO(ry) DUPLICATED CODE HERE. + Ok( + if let Some((cert_chain, private_key)) = client_cert_chain_and_key { + // The `remove` is safe because load_private_keys checks that there is at least one key. + let private_key = load_private_keys(private_key.as_bytes())?.remove(0); + + b.with_single_cert(load_certs(&mut cert_chain.as_bytes())?, private_key) + .expect("invalid client key or certificate") + } else { + b.with_no_client_auth() + }, + ) + } } pub fn load_certs( @@ -173,7 +206,7 @@ pub fn load_certs( return Err(e); } - Ok(certs) + Ok(certs.into_iter().map(Certificate).collect()) } fn key_decode_err() -> AnyError { @@ -187,13 +220,13 @@ fn key_not_found_err() -> AnyError { /// Starts with -----BEGIN RSA PRIVATE KEY----- fn load_rsa_keys(mut bytes: &[u8]) -> Result, AnyError> { let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?; - Ok(keys) + Ok(keys.into_iter().map(PrivateKey).collect()) } /// Starts with -----BEGIN PRIVATE KEY----- fn load_pkcs8_keys(mut bytes: &[u8]) -> Result, AnyError> { let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; - Ok(keys) + Ok(keys.into_iter().map(PrivateKey).collect()) } pub fn load_private_keys(bytes: &[u8]) -> Result, AnyError> { @@ -220,24 +253,13 @@ pub fn create_http_client( unsafely_ignore_certificate_errors: Option>, client_cert_chain_and_key: Option<(String, String)>, ) -> Result { - let mut tls_config = create_client_config( + let tls_config = create_client_config( root_cert_store, ca_certs, unsafely_ignore_certificate_errors, + client_cert_chain_and_key, )?; - if let Some((cert_chain, private_key)) = client_cert_chain_and_key { - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); - - tls_config - .set_single_client_cert( - load_certs(&mut cert_chain.as_bytes())?, - private_key, - ) - .expect("invalid client key or certificate"); - } - let mut headers = HeaderMap::new(); headers.insert(USER_AGENT, user_agent.parse().unwrap()); let mut builder = Client::builder() From 211a8977f94c90a8105a51f91b5d2362e351e476 Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Tue, 19 Oct 2021 09:59:41 -0400 Subject: [PATCH 03/17] port deno_net --- ext/net/ops_tls.rs | 159 ++++++++++++++++++--------------------------- 1 file changed, 63 insertions(+), 96 deletions(-) diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index d6618440fbf71..5c0586bcd5230 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -41,13 +41,12 @@ use deno_tls::load_certs; use deno_tls::load_private_keys; use deno_tls::rustls::Certificate; use deno_tls::rustls::ClientConfig; -use deno_tls::rustls::ClientSession; -use deno_tls::rustls::NoClientAuth; +use deno_tls::rustls::ClientConnection; +use deno_tls::rustls::Connection; use deno_tls::rustls::PrivateKey; use deno_tls::rustls::ServerConfig; -use deno_tls::rustls::ServerSession; -use deno_tls::rustls::Session; -use deno_tls::webpki::DNSNameRef; +use deno_tls::rustls::ServerConnection; +use deno_tls::rustls::ServerName; use io::Error; use io::Read; use io::Write; @@ -55,12 +54,11 @@ use serde::Deserialize; use std::borrow::Cow; use std::cell::RefCell; use std::convert::From; +use std::convert::TryFrom; use std::fs::File; use std::io; use std::io::BufReader; use std::io::ErrorKind; -use std::ops::Deref; -use std::ops::DerefMut; use std::path::Path; use std::pin::Pin; use std::rc::Rc; @@ -73,44 +71,6 @@ use tokio::net::TcpListener; use tokio::net::TcpStream; use tokio::task::spawn_local; -#[derive(Debug)] -enum TlsSession { - Client(ClientSession), - Server(ServerSession), -} - -impl Deref for TlsSession { - type Target = dyn Session; - - fn deref(&self) -> &Self::Target { - match self { - TlsSession::Client(client_session) => client_session, - TlsSession::Server(server_session) => server_session, - } - } -} - -impl DerefMut for TlsSession { - fn deref_mut(&mut self) -> &mut Self::Target { - match self { - TlsSession::Client(client_session) => client_session, - TlsSession::Server(server_session) => server_session, - } - } -} - -impl From for TlsSession { - fn from(client_session: ClientSession) -> Self { - TlsSession::Client(client_session) - } -} - -impl From for TlsSession { - fn from(server_session: ServerSession) -> Self { - TlsSession::Server(server_session) - } -} - #[derive(Copy, Clone, Debug, Eq, PartialEq)] enum Flow { Read, @@ -126,11 +86,11 @@ enum State { TcpClosed, } -#[derive(Debug)] +//#[derive(Debug)] pub struct TlsStream(Option); impl TlsStream { - fn new(tcp: TcpStream, tls: TlsSession) -> Self { + fn new(tcp: TcpStream, tls: Connection) -> Self { let inner = TlsStreamInner { tcp, tls, @@ -142,18 +102,20 @@ impl TlsStream { pub fn new_client_side( tcp: TcpStream, - tls_config: &Arc, - hostname: DNSNameRef, + tls_config: Arc, + server_name: ServerName, ) -> Self { - let tls = TlsSession::Client(ClientSession::new(tls_config, hostname)); + let tls = Connection::Client( + ClientConnection::new(tls_config, server_name).unwrap(), + ); Self::new(tcp, tls) } pub fn new_server_side( tcp: TcpStream, - tls_config: &Arc, + tls_config: Arc, ) -> Self { - let tls = TlsSession::Server(ServerSession::new(tls_config)); + let tls = Connection::Server(ServerConnection::new(tls_config).unwrap()); Self::new(tcp, tls) } @@ -170,12 +132,14 @@ impl TlsStream { (rd, wr) } + /* /// Tokio-rustls compatibility: returns a reference to the underlying TCP /// stream, and a reference to the Rustls `Session` object. pub fn get_ref(&self) -> (&TcpStream, &dyn Session) { let inner = self.0.as_ref().unwrap(); (&inner.tcp, &*inner.tls) } + */ fn inner_mut(&mut self) -> &mut TlsStreamInner { self.0.as_mut().unwrap() @@ -232,9 +196,9 @@ impl Drop for TlsStream { } } -#[derive(Debug)] +// #[derive(Debug)] pub struct TlsStreamInner { - tls: TlsSession, + tls: Connection, tcp: TcpStream, rd_state: State, wr_state: State, @@ -329,7 +293,7 @@ impl TlsStreamInner { // Do a zero-length plaintext read so we can detect the arrival of // 'CloseNotify' messages, even if only the write half is open. // Actually reading data from the socket is done in `poll_read()`. - match self.tls.read(&mut []) { + match self.tls.reader().read(&mut []) { Ok(0) => {} Err(err) if err.kind() == ErrorKind::ConnectionAborted => { // `Session::read()` returns `ConnectionAborted` when a @@ -353,10 +317,12 @@ impl TlsStreamInner { let mut wrapped_tcp = ImplementReadTrait(&mut self.tcp); match self.tls.read_tls(&mut wrapped_tcp) { Ok(0) => self.rd_state = State::TcpClosed, - Ok(_) => self - .tls - .process_new_packets() - .map_err(|err| Error::new(ErrorKind::InvalidData, err))?, + Ok(_) => { + self + .tls + .process_new_packets() + .map_err(|err| Error::new(ErrorKind::InvalidData, err))?; + } Err(err) if err.kind() == ErrorKind::WouldBlock => {} Err(err) => return Poll::Ready(Err(err)), } @@ -396,7 +362,7 @@ impl TlsStreamInner { if self.rd_state == State::StreamOpen { let buf_slice = unsafe { &mut *(buf.unfilled_mut() as *mut [_] as *mut [u8]) }; - let bytes_read = self.tls.read(buf_slice)?; + let bytes_read = self.tls.reader().read(buf_slice)?; assert_ne!(bytes_read, 0); unsafe { buf.assume_init(bytes_read) }; buf.advance(bytes_read); @@ -418,7 +384,7 @@ impl TlsStreamInner { ready!(self.poll_io(cx, Flow::Write))?; // Copy data from `buf` to the Rustls cleartext send queue. - let bytes_written = self.tls.write(buf)?; + let bytes_written = self.tls.writer().write(buf)?; assert_ne!(bytes_written, 0); // Try to flush as much ciphertext as possible. However, since we just @@ -469,7 +435,7 @@ impl TlsStreamInner { } } -#[derive(Debug)] +// #[derive(Debug)] pub struct ReadHalf { shared: Arc, } @@ -500,7 +466,7 @@ impl AsyncRead for ReadHalf { } } -#[derive(Debug)] +// #[derive(Debug)] pub struct WriteHalf { shared: Arc, } @@ -537,7 +503,7 @@ impl AsyncWrite for WriteHalf { } } -#[derive(Debug)] +// #[derive(Debug)] struct Shared { tls_stream: Mutex, rd_waker: AtomicWaker, @@ -699,8 +665,8 @@ where ca_certs.push(buf); }; - let hostname_dns = DNSNameRef::try_from_ascii_str(hostname) - .map_err(|_| invalid_hostname(hostname))?; + let hostname_dns = + ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?; let unsafely_ignore_certificate_errors = state .borrow() @@ -731,9 +697,10 @@ where root_cert_store, ca_certs, unsafely_ignore_certificate_errors, + None, )?); let tls_stream = - TlsStream::new_client_side(tcp_stream, &tls_config, hostname_dns); + TlsStream::new_client_side(tcp_stream, tls_config, hostname_dns); let rid = { let mut state_ = state.borrow_mut(); @@ -808,8 +775,8 @@ where .borrow::() .root_cert_store .clone(); - let hostname_dns = DNSNameRef::try_from_ascii_str(hostname) - .map_err(|_| invalid_hostname(hostname))?; + let hostname_dns = + ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?; let connect_addr = resolve_addr(hostname, port) .await? @@ -818,33 +785,31 @@ where let tcp_stream = TcpStream::connect(connect_addr).await?; let local_addr = tcp_stream.local_addr()?; let remote_addr = tcp_stream.peer_addr()?; - let mut tls_config = create_client_config( + + let cert_chain_and_key = + if args.cert_chain.is_some() || args.private_key.is_some() { + let cert_chain = args + .cert_chain + .ok_or_else(|| type_error("No certificate chain provided"))?; + let private_key = args + .private_key + .ok_or_else(|| type_error("No private key provided"))?; + Some((cert_chain, private_key)) + } else { + None + }; + + let tls_config = create_client_config( root_cert_store, ca_certs, unsafely_ignore_certificate_errors, + cert_chain_and_key, )?; - if args.cert_chain.is_some() || args.private_key.is_some() { - let cert_chain = args - .cert_chain - .ok_or_else(|| type_error("No certificate chain provided"))?; - let private_key = args - .private_key - .ok_or_else(|| type_error("No private key provided"))?; - - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); - - tls_config.set_single_client_cert( - load_certs(&mut cert_chain.as_bytes())?, - private_key, - )?; - } - let tls_config = Arc::new(tls_config); let tls_stream = - TlsStream::new_client_side(tcp_stream, &tls_config, hostname_dns); + TlsStream::new_client_side(tcp_stream, tls_config, hostname_dns); let rid = { let mut state_ = state.borrow_mut(); @@ -927,18 +892,19 @@ where permissions.check_read(Path::new(key_file))?; } - let mut tls_config = ServerConfig::new(NoClientAuth::new()); + let mut tls_config = ServerConfig::builder() + .with_safe_defaults() + .with_no_client_auth() + .with_single_cert( + load_certs_from_file(cert_file)?, + load_private_keys_from_file(key_file)?.remove(0), + ) + .expect("invalid key or certificate"); if let Some(alpn_protocols) = args.alpn_protocols { super::check_unstable(state, "Deno.listenTls#alpn_protocols"); tls_config.alpn_protocols = alpn_protocols.into_iter().map(|s| s.into_bytes()).collect(); } - tls_config - .set_single_cert( - load_certs_from_file(cert_file)?, - load_private_keys_from_file(key_file)?.remove(0), - ) - .expect("invalid key or certificate"); let bind_addr = resolve_addr_sync(hostname, port)? .next() @@ -994,7 +960,8 @@ async fn op_accept_tls( let local_addr = tcp_stream.local_addr()?; - let tls_stream = TlsStream::new_server_side(tcp_stream, &resource.tls_config); + let tls_stream = + TlsStream::new_server_side(tcp_stream, resource.tls_config.clone()); let rid = { let mut state_ = state.borrow_mut(); From 0a0c463bda26c2eb4b90c0d29da054a53cb376d0 Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Tue, 19 Oct 2021 10:17:07 -0400 Subject: [PATCH 04/17] Port deno_websocket --- Cargo.lock | 50 +++++++++++++++------------------------- ext/websocket/Cargo.toml | 10 ++++++-- ext/websocket/lib.rs | 22 ++++++++++-------- 3 files changed, 39 insertions(+), 43 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 625ff2b28c6d0..12498627a3dae 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1035,8 +1035,8 @@ dependencies = [ "hyper", "serde", "tokio", - "tokio-rustls 0.22.0", - "tokio-tungstenite 0.14.0", + "tokio-rustls 0.23.0", + "tokio-tungstenite 0.15.0 (git+https://github.com/dnaka91/tokio-tungstenite?branch=rustls-0.20)", ] [[package]] @@ -1894,15 +1894,6 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90953f308a79fe6d62a4643e51f848fbfddcd05975a38e69fdf4ab86a7baf7ca" -[[package]] -name = "input_buffer" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f97967975f448f1a7ddb12b0bc41069d09ed6a1c161a92687e057325db35d413" -dependencies = [ - "bytes", -] - [[package]] name = "instant" version = "0.1.11" @@ -4071,7 +4062,7 @@ dependencies = [ "tempfile", "tokio", "tokio-rustls 0.23.0", - "tokio-tungstenite 0.15.0", + "tokio-tungstenite 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)", "winapi 0.3.9", ] @@ -4211,32 +4202,30 @@ dependencies = [ [[package]] name = "tokio-tungstenite" -version = "0.14.0" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e96bb520beab540ab664bd5a9cfeaa1fcd846fa68c830b42e2c8963071251d2" +checksum = "511de3f85caf1c98983545490c3d09685fa8eb634e57eec22bb4db271f46cbd8" dependencies = [ "futures-util", "log", "pin-project", - "rustls 0.19.1", "tokio", - "tokio-rustls 0.22.0", - "tungstenite 0.13.0", - "webpki 0.21.4", - "webpki-roots 0.21.1", + "tungstenite 0.14.0", ] [[package]] name = "tokio-tungstenite" version = "0.15.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "511de3f85caf1c98983545490c3d09685fa8eb634e57eec22bb4db271f46cbd8" +source = "git+https://github.com/dnaka91/tokio-tungstenite?branch=rustls-0.20#49d4e0b1a0392ab89f47784d6b15eec5f1633cf8" dependencies = [ "futures-util", "log", - "pin-project", + "rustls 0.20.0", "tokio", - "tungstenite 0.14.0", + "tokio-rustls 0.23.0", + "tungstenite 0.15.0", + "webpki 0.22.0", + "webpki-roots 0.22.1", ] [[package]] @@ -4398,32 +4387,27 @@ checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" [[package]] name = "tungstenite" -version = "0.13.0" +version = "0.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fe8dada8c1a3aeca77d6b51a4f1314e0f4b8e438b7b1b71e3ddaca8080e4093" +checksum = "a0b2d8558abd2e276b0a8df5c05a2ec762609344191e5fd23e292c910e9165b5" dependencies = [ "base64 0.13.0", "byteorder", "bytes", "http", "httparse", - "input_buffer", "log", "rand 0.8.4", - "rustls 0.19.1", "sha-1", "thiserror", "url", "utf-8", - "webpki 0.21.4", - "webpki-roots 0.21.1", ] [[package]] name = "tungstenite" -version = "0.14.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0b2d8558abd2e276b0a8df5c05a2ec762609344191e5fd23e292c910e9165b5" +version = "0.15.0" +source = "git+https://github.com/dnaka91/tungstenite-rs.git?rev=f4bb653aa03665a83bd98068432602f07cd5634b#f4bb653aa03665a83bd98068432602f07cd5634b" dependencies = [ "base64 0.13.0", "byteorder", @@ -4432,10 +4416,12 @@ dependencies = [ "httparse", "log", "rand 0.8.4", + "rustls 0.20.0", "sha-1", "thiserror", "url", "utf-8", + "webpki 0.22.0", ] [[package]] diff --git a/ext/websocket/Cargo.toml b/ext/websocket/Cargo.toml index 39007a5b6298a..789373b3306bb 100644 --- a/ext/websocket/Cargo.toml +++ b/ext/websocket/Cargo.toml @@ -20,5 +20,11 @@ http = "0.2.4" hyper = { version = "0.14.12" } serde = { version = "1.0.129", features = ["derive"] } tokio = { version = "1.10.1", features = ["full"] } -tokio-rustls = "0.22.0" -tokio-tungstenite = { version = "0.14.0", features = ["rustls-tls"] } +tokio-rustls = "0.23.0" + +[dependencies.tokio-tungstenite] +version = "0.15.0" +features = ["rustls-tls-webpki-roots"] +# TODO(ry) Waiting for https://github.com/snapview/tokio-tungstenite/pull/198 +git = "https://github.com/dnaka91/tokio-tungstenite" +branch = "rustls-0.20" diff --git a/ext/websocket/lib.rs b/ext/websocket/lib.rs index 32ac4cf038743..30d379ef2fa12 100644 --- a/ext/websocket/lib.rs +++ b/ext/websocket/lib.rs @@ -20,26 +20,29 @@ use deno_core::Resource; use deno_core::ResourceId; use deno_core::ZeroCopyBuf; use deno_tls::create_client_config; -use deno_tls::webpki::DNSNameRef; - -use http::{Method, Request, Uri}; +use http::Method; +use http::Request; +use http::Uri; use serde::Deserialize; use serde::Serialize; use std::borrow::Cow; use std::cell::RefCell; +use std::convert::TryFrom; use std::fmt; use std::path::PathBuf; use std::rc::Rc; use std::sync::Arc; use tokio::net::TcpStream; use tokio_rustls::rustls::RootCertStore; +use tokio_rustls::rustls::ServerName; use tokio_rustls::TlsConnector; -use tokio_tungstenite::tungstenite::{ - handshake::client::Response, protocol::frame::coding::CloseCode, - protocol::CloseFrame, Message, -}; +use tokio_tungstenite::client_async; +use tokio_tungstenite::tungstenite::handshake::client::Response; +use tokio_tungstenite::tungstenite::protocol::frame::coding::CloseCode; +use tokio_tungstenite::tungstenite::protocol::CloseFrame; +use tokio_tungstenite::tungstenite::protocol::Message; use tokio_tungstenite::MaybeTlsStream; -use tokio_tungstenite::{client_async, WebSocketStream}; +use tokio_tungstenite::WebSocketStream; pub use tokio_tungstenite; // Re-export tokio_tungstenite @@ -244,9 +247,10 @@ where root_cert_store, vec![], unsafely_ignore_certificate_errors, + None, )?; let tls_connector = TlsConnector::from(Arc::new(tls_config)); - let dnsname = DNSNameRef::try_from_ascii_str(domain) + let dnsname = ServerName::try_from(domain.as_str()) .map_err(|_| invalid_hostname(domain))?; let tls_socket = tls_connector.connect(dnsname, tcp_socket).await?; MaybeTlsStream::Rustls(tls_socket) From 9cb2f8abfde7440ed5ed92b9bc90f8f91ad8be0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 1 Dec 2021 17:04:56 +0100 Subject: [PATCH 05/17] make some progress --- Cargo.lock | 103 ++++++++++++--------------------------- ext/fetch/Cargo.toml | 2 +- ext/tls/Cargo.toml | 2 +- ext/tls/lib.rs | 2 +- ext/websocket/Cargo.toml | 8 +-- test_util/Cargo.toml | 2 +- test_util/src/lib.rs | 10 ++-- 7 files changed, 42 insertions(+), 87 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index edff01474f3b7..ab22bb654c745 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -956,7 +956,7 @@ dependencies = [ "deno_core", "lazy_static", "reqwest", - "rustls 0.20.0", + "rustls 0.20.2", "rustls-native-certs", "rustls-pemfile", "serde", @@ -1017,8 +1017,8 @@ dependencies = [ "hyper", "serde", "tokio", - "tokio-rustls 0.23.0", - "tokio-tungstenite 0.15.0 (git+https://github.com/dnaka91/tokio-tungstenite?branch=rustls-0.20)", + "tokio-rustls", + "tokio-tungstenite", ] [[package]] @@ -1794,17 +1794,15 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.22.1" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f9f7a97316d44c0af9b0301e65010573a853a9fc97046d7331d7f6bc0fd5a64" +checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac" dependencies = [ - "futures-util", + "http", "hyper", - "log", - "rustls 0.19.1", + "rustls 0.20.2", "tokio", - "tokio-rustls 0.22.0", - "webpki 0.21.4", + "tokio-rustls", ] [[package]] @@ -2955,9 +2953,9 @@ checksum = "f1382d1f0a252c4bf97dc20d979a2fdd05b024acd7c2ed0f7595d7817666a157" [[package]] name = "reqwest" -version = "0.11.5" +version = "0.11.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51c732d463dd300362ffb44b7b125f299c23d2990411a4253824630ebc7467fb" +checksum = "07bea77bc708afa10e59905c3d4af7c8fd43c9214251673095ff8b14345fcbc5" dependencies = [ "async-compression", "base64 0.13.0", @@ -2976,12 +2974,13 @@ dependencies = [ "mime", "percent-encoding", "pin-project-lite", - "rustls 0.19.1", + "rustls 0.20.2", + "rustls-pemfile", "serde", "serde_json", "serde_urlencoded", "tokio", - "tokio-rustls 0.22.0", + "tokio-rustls", "tokio-util", "url", "wasm-bindgen", @@ -3107,9 +3106,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.0" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b5ac6078ca424dc1d3ae2328526a76787fecc7f8011f520e3276730e711fc95" +checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84" dependencies = [ "log", "ring", @@ -3129,6 +3128,15 @@ dependencies = [ "security-framework", ] +[[package]] +name = "rustls-pemfile" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +dependencies = [ + "base64 0.13.0", +] + [[package]] name = "rustyline" version = "9.0.0" @@ -4058,8 +4066,8 @@ dependencies = [ "serde_json", "tempfile", "tokio", - "tokio-rustls 0.23.0", - "tokio-tungstenite 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)", + "tokio-rustls", + "tokio-tungstenite", "winapi 0.3.9", ] @@ -4164,24 +4172,13 @@ dependencies = [ "syn 1.0.65", ] -[[package]] -name = "tokio-rustls" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" -dependencies = [ - "rustls 0.19.1", - "tokio", - "webpki 0.21.4", -] - [[package]] name = "tokio-rustls" version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d49194a46b06a69f2498a34a595ab4a9c1babd2642ffa3dbccf6c6778d1426f2" dependencies = [ - "rustls 0.20.0", + "rustls 0.20.2", "tokio", "webpki 0.22.0", ] @@ -4199,30 +4196,14 @@ dependencies = [ [[package]] name = "tokio-tungstenite" -version = "0.15.0" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "511de3f85caf1c98983545490c3d09685fa8eb634e57eec22bb4db271f46cbd8" +checksum = "e057364a4dd37870b33bf8dc1885d29187d90770f488d599d3ee8d9e4916fbd3" dependencies = [ "futures-util", "log", - "pin-project", "tokio", - "tungstenite 0.14.0", -] - -[[package]] -name = "tokio-tungstenite" -version = "0.15.0" -source = "git+https://github.com/dnaka91/tokio-tungstenite?branch=rustls-0.20#49d4e0b1a0392ab89f47784d6b15eec5f1633cf8" -dependencies = [ - "futures-util", - "log", - "rustls 0.20.0", - "tokio", - "tokio-rustls 0.23.0", - "tungstenite 0.15.0", - "webpki 0.22.0", - "webpki-roots 0.22.1", + "tungstenite", ] [[package]] @@ -4384,27 +4365,9 @@ checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" [[package]] name = "tungstenite" -version = "0.14.0" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0b2d8558abd2e276b0a8df5c05a2ec762609344191e5fd23e292c910e9165b5" -dependencies = [ - "base64 0.13.0", - "byteorder", - "bytes", - "http", - "httparse", - "log", - "rand 0.8.4", - "sha-1", - "thiserror", - "url", - "utf-8", -] - -[[package]] -name = "tungstenite" -version = "0.15.0" -source = "git+https://github.com/dnaka91/tungstenite-rs.git?rev=f4bb653aa03665a83bd98068432602f07cd5634b#f4bb653aa03665a83bd98068432602f07cd5634b" +checksum = "6ad3713a14ae247f22a728a0456a545df14acf3867f905adff84be99e23b3ad1" dependencies = [ "base64 0.13.0", "byteorder", @@ -4413,12 +4376,10 @@ dependencies = [ "httparse", "log", "rand 0.8.4", - "rustls 0.20.0", "sha-1", "thiserror", "url", "utf-8", - "webpki 0.22.0", ] [[package]] diff --git a/ext/fetch/Cargo.toml b/ext/fetch/Cargo.toml index ed36e200cf95a..a3408046b017e 100644 --- a/ext/fetch/Cargo.toml +++ b/ext/fetch/Cargo.toml @@ -20,7 +20,7 @@ deno_core = { version = "0.109.0", path = "../../core" } deno_tls = { version = "0.14.0", path = "../tls" } dyn-clone = "1" http = "0.2.4" -reqwest = { version = "0.11.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } +reqwest = { version = "0.11.7", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } serde = { version = "1.0.129", features = ["derive"] } tokio = { version = "1.10.1", features = ["full"] } tokio-stream = "0.1.7" diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml index f48b0f7e248af..ceb279d394ee4 100644 --- a/ext/tls/Cargo.toml +++ b/ext/tls/Cargo.toml @@ -16,7 +16,7 @@ path = "lib.rs" [dependencies] deno_core = { version = "0.109.0", path = "../../core" } lazy_static = "1.4.0" -reqwest = { version = "0.11.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } +reqwest = { version = "0.11.7", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } rustls = { version = "0.20", features = ["dangerous_configuration"] } rustls-native-certs = "0.5.0" rustls-pemfile = "0.2.1" diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index d2fd7253611fa..5970f10b1b4ff 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -253,7 +253,7 @@ pub fn create_http_client( unsafely_ignore_certificate_errors: Option>, client_cert_chain_and_key: Option<(String, String)>, ) -> Result { - let tls_config = create_client_config( + let mut tls_config = create_client_config( root_cert_store, ca_certs, unsafely_ignore_certificate_errors, diff --git a/ext/websocket/Cargo.toml b/ext/websocket/Cargo.toml index 58387e8a2e4fa..b4563d899ca51 100644 --- a/ext/websocket/Cargo.toml +++ b/ext/websocket/Cargo.toml @@ -21,10 +21,4 @@ hyper = { version = "0.14.12" } serde = { version = "1.0.129", features = ["derive"] } tokio = { version = "1.10.1", features = ["full"] } tokio-rustls = "0.23.0" - -[dependencies.tokio-tungstenite] -version = "0.15.0" -features = ["rustls-tls-webpki-roots"] -# TODO(ry) Waiting for https://github.com/snapview/tokio-tungstenite/pull/198 -git = "https://github.com/dnaka91/tokio-tungstenite" -branch = "rustls-0.20" +tokio-tungstenite = "0.16.0" diff --git a/test_util/Cargo.toml b/test_util/Cargo.toml index b87db229d5941..c545fcfea8c43 100644 --- a/test_util/Cargo.toml +++ b/test_util/Cargo.toml @@ -27,7 +27,7 @@ serde_json = "1.0.65" tempfile = "3.2.0" tokio = { version = "1.10.1", features = ["full"] } tokio-rustls = "0.23" -tokio-tungstenite = "0.15" +tokio-tungstenite = "0.16" [target.'cfg(unix)'.dependencies] pty = "0.2.2" diff --git a/test_util/src/lib.rs b/test_util/src/lib.rs index 872b03d9e8ae9..76f024b4ac6a8 100644 --- a/test_util/src/lib.rs +++ b/test_util/src/lib.rs @@ -359,7 +359,7 @@ async fn get_tls_config( // Allow (but do not require) client authentication. - let mut config = rustls::ServerConfig::builder() + let mut builder = rustls::ServerConfig::builder() .with_safe_defaults() .with_client_cert_verifier( rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new( @@ -367,18 +367,18 @@ async fn get_tls_config( ), ) .with_single_cert(certs, PrivateKey(key)); - + match http_versions { SupportedHttpVersions::All => { - config.with_protocol_versions(&["h2".into(), "http/1.1".into()]); + builder = builder.with_protocol_versions(&["h2".into(), "http/1.1".into()]).unwrap(); } SupportedHttpVersions::Http1Only => {} SupportedHttpVersions::Http2Only => { - config.with_protocol_versions(&["h2".into()]); + builder = builder.with_protocol_versions(&["h2".into()]).unwrap(); } } - config + let config = builder .map_err(|e| { eprintln!("Error setting cert: {:?}", e); }) From e62301d500f9ec29e652f59873a9d6a4b6f8270d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 1 Dec 2021 17:20:41 +0100 Subject: [PATCH 06/17] make some progress2 --- Cargo.lock | 6 ++++++ ext/net/ops_tls.rs | 35 ++++------------------------------- ext/websocket/Cargo.toml | 2 +- runtime/ops/http.rs | 2 +- test_util/src/lib.rs | 20 +++++++++----------- 5 files changed, 21 insertions(+), 44 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ab22bb654c745..98060b33a7c9d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4202,8 +4202,12 @@ checksum = "e057364a4dd37870b33bf8dc1885d29187d90770f488d599d3ee8d9e4916fbd3" dependencies = [ "futures-util", "log", + "rustls 0.20.2", "tokio", + "tokio-rustls", "tungstenite", + "webpki 0.22.0", + "webpki-roots 0.22.1", ] [[package]] @@ -4376,10 +4380,12 @@ dependencies = [ "httparse", "log", "rand 0.8.4", + "rustls 0.20.2", "sha-1", "thiserror", "url", "utf-8", + "webpki 0.22.0", ] [[package]] diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index 269bc40b6a84d..237f42c7381c0 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -135,14 +135,10 @@ impl TlsStream { (rd, wr) } - /* - /// Tokio-rustls compatibility: returns a reference to the underlying TCP - /// stream, and a reference to the Rustls `Session` object. - pub fn get_ref(&self) -> (&TcpStream, &dyn Session) { + pub fn get_ref(&self) -> &TcpStream { let inner = self.0.as_ref().unwrap(); - (&inner.tcp, &*inner.tls) + &inner.tcp } - */ fn inner_mut(&mut self) -> &mut TlsStreamInner { self.0.as_mut().unwrap() @@ -160,7 +156,7 @@ impl TlsStream { self .inner_mut() .tls - .get_alpn_protocol() + .alpn_protocol() .map(|s| ByteString(s.to_owned())) } } @@ -815,12 +811,6 @@ where .map(|s| s.into_bytes()) .collect::>(); - if let Some(path) = cert_file { - let mut buf = Vec::new(); - File::open(path)?.read_to_end(&mut buf)?; - ca_certs.push(buf); - }; - let hostname_dns = ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?; @@ -964,7 +954,7 @@ where None }; - let tls_config = create_client_config( + let mut tls_config = create_client_config( root_cert_store, ca_certs, unsafely_ignore_certificate_errors, @@ -977,23 +967,6 @@ where alpn_protocols.into_iter().map(|s| s.into_bytes()).collect(); } - if args.cert_chain.is_some() || args.private_key.is_some() { - let cert_chain = args - .cert_chain - .ok_or_else(|| type_error("No certificate chain provided"))?; - let private_key = args - .private_key - .ok_or_else(|| type_error("No private key provided"))?; - - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); - - tls_config.set_single_client_cert( - load_certs(&mut cert_chain.as_bytes())?, - private_key, - )?; - } - let tls_config = Arc::new(tls_config); let tls_stream = diff --git a/ext/websocket/Cargo.toml b/ext/websocket/Cargo.toml index b4563d899ca51..1473cdf84d4e0 100644 --- a/ext/websocket/Cargo.toml +++ b/ext/websocket/Cargo.toml @@ -21,4 +21,4 @@ hyper = { version = "0.14.12" } serde = { version = "1.0.129", features = ["derive"] } tokio = { version = "1.10.1", features = ["full"] } tokio-rustls = "0.23.0" -tokio-tungstenite = "0.16.0" +tokio-tungstenite = { version = "0.16.0", features = ["rustls-tls-webpki-roots"] } diff --git a/runtime/ops/http.rs b/runtime/ops/http.rs index fddac92612737..40b39470e476f 100644 --- a/runtime/ops/http.rs +++ b/runtime/ops/http.rs @@ -41,7 +41,7 @@ fn op_http_start( .expect("Only a single use of this resource should happen"); let (read_half, write_half) = resource.into_inner(); let tls_stream = read_half.reunite(write_half); - let addr = tls_stream.get_ref().0.local_addr()?; + let addr = tls_stream.get_ref().local_addr()?; return http_create_conn_resource(state, tls_stream, addr, "https"); } diff --git a/test_util/src/lib.rs b/test_util/src/lib.rs index 76f024b4ac6a8..2b85d6cba59f1 100644 --- a/test_util/src/lib.rs +++ b/test_util/src/lib.rs @@ -359,31 +359,29 @@ async fn get_tls_config( // Allow (but do not require) client authentication. - let mut builder = rustls::ServerConfig::builder() + let mut config = rustls::ServerConfig::builder() .with_safe_defaults() .with_client_cert_verifier( rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new( root_cert_store, ), ) - .with_single_cert(certs, PrivateKey(key)); - + .with_single_cert(certs, PrivateKey(key)) + .map_err(|e| { + eprintln!("Error setting cert: {:?}", e); + }) + .unwrap(); + match http_versions { SupportedHttpVersions::All => { - builder = builder.with_protocol_versions(&["h2".into(), "http/1.1".into()]).unwrap(); + config.alpn_protocols = vec!["h2".into(), "http/1.1".into()]; } SupportedHttpVersions::Http1Only => {} SupportedHttpVersions::Http2Only => { - builder = builder.with_protocol_versions(&["h2".into()]).unwrap(); + config.alpn_protocols = vec!["h2".into()]; } } - let config = builder - .map_err(|e| { - eprintln!("Error setting cert: {:?}", e); - }) - .unwrap(); - Ok(Arc::new(config)) } None => Err(io::Error::new(io::ErrorKind::Other, "Cannot find key")), From c2e4bb798919ddca9531b922b2bbaf7b43c963d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 1 Dec 2021 17:27:42 +0100 Subject: [PATCH 07/17] make some progress3 --- cli/proc_state.rs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cli/proc_state.rs b/cli/proc_state.rs index b62cdc464a173..25d046cb88f8f 100644 --- a/cli/proc_state.rs +++ b/cli/proc_state.rs @@ -41,9 +41,10 @@ use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel; use deno_runtime::deno_web::BlobStore; use deno_runtime::inspector_server::InspectorServer; use deno_runtime::permissions::Permissions; +use deno_tls::rustls; use deno_tls::rustls::RootCertStore; use deno_tls::rustls_native_certs::load_native_certs; -use deno_tls::webpki_roots::TLS_SERVER_ROOTS; +use deno_tls::webpki_roots; use import_map::ImportMap; use std::collections::BTreeMap; use std::collections::HashMap; @@ -206,7 +207,15 @@ impl ProcState { for store in ca_stores.iter() { match store.as_str() { "mozilla" => { - root_cert_store.add_server_trust_anchors(&TLS_SERVER_ROOTS); + root_cert_store.add_server_trust_anchors( + deno_tls::webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { + deno_tls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + }), + ); } "system" => { let roots = load_native_certs() From 893be174e1451da6cf94e12c499179d582aa5b6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 1 Dec 2021 18:23:19 +0100 Subject: [PATCH 08/17] builds --- Cargo.lock | 43 ++++++++++--------------------------------- cli/proc_state.rs | 28 ++++++++++++++++++++-------- cli/standalone.rs | 13 +++++++++++-- ext/tls/Cargo.toml | 2 +- ext/tls/lib.rs | 1 + 5 files changed, 43 insertions(+), 44 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 98060b33a7c9d..0eaff08203df8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -956,7 +956,7 @@ dependencies = [ "deno_core", "lazy_static", "reqwest", - "rustls 0.20.2", + "rustls", "rustls-native-certs", "rustls-pemfile", "serde", @@ -1800,7 +1800,7 @@ checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac" dependencies = [ "http", "hyper", - "rustls 0.20.2", + "rustls", "tokio", "tokio-rustls", ] @@ -2974,7 +2974,7 @@ dependencies = [ "mime", "percent-encoding", "pin-project-lite", - "rustls 0.20.2", + "rustls", "rustls-pemfile", "serde", "serde_json", @@ -3091,19 +3091,6 @@ dependencies = [ "semver 0.11.0", ] -[[package]] -name = "rustls" -version = "0.19.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" -dependencies = [ - "base64 0.13.0", - "log", - "ring", - "sct 0.6.1", - "webpki 0.21.4", -] - [[package]] name = "rustls" version = "0.20.2" @@ -3112,18 +3099,18 @@ checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84" dependencies = [ "log", "ring", - "sct 0.7.0", + "sct", "webpki 0.22.0", ] [[package]] name = "rustls-native-certs" -version = "0.5.0" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" +checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943" dependencies = [ "openssl-probe", - "rustls 0.19.1", + "rustls-pemfile", "schannel", "security-framework", ] @@ -3207,16 +3194,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" -[[package]] -name = "sct" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "sct" version = "0.7.0" @@ -4178,7 +4155,7 @@ version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d49194a46b06a69f2498a34a595ab4a9c1babd2642ffa3dbccf6c6778d1426f2" dependencies = [ - "rustls 0.20.2", + "rustls", "tokio", "webpki 0.22.0", ] @@ -4202,7 +4179,7 @@ checksum = "e057364a4dd37870b33bf8dc1885d29187d90770f488d599d3ee8d9e4916fbd3" dependencies = [ "futures-util", "log", - "rustls 0.20.2", + "rustls", "tokio", "tokio-rustls", "tungstenite", @@ -4380,7 +4357,7 @@ dependencies = [ "httparse", "log", "rand 0.8.4", - "rustls 0.20.2", + "rustls", "sha-1", "thiserror", "url", diff --git a/cli/proc_state.rs b/cli/proc_state.rs index 25d046cb88f8f..e17ddc0dc69b2 100644 --- a/cli/proc_state.rs +++ b/cli/proc_state.rs @@ -44,6 +44,7 @@ use deno_runtime::permissions::Permissions; use deno_tls::rustls; use deno_tls::rustls::RootCertStore; use deno_tls::rustls_native_certs::load_native_certs; +use deno_tls::rustls_pemfile; use deno_tls::webpki_roots; use import_map::ImportMap; use std::collections::BTreeMap; @@ -208,8 +209,8 @@ impl ProcState { match store.as_str() { "mozilla" => { root_cert_store.add_server_trust_anchors( - deno_tls::webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { - deno_tls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( ta.subject, ta.spki, ta.name_constraints, @@ -218,10 +219,13 @@ impl ProcState { ); } "system" => { - let roots = load_native_certs() - .expect("could not load platform certs") - .roots; - root_cert_store.roots.extend(roots); + let roots = + load_native_certs().expect("could not load platform certs"); + for root in roots { + root_cert_store + .add(&rustls::Certificate(root.0)) + .expect("Failed to add platform cert to root cert store"); + } } _ => { return Err(anyhow!("Unknown certificate store \"{}\" specified (allowed: \"system,mozilla\")", store)); @@ -235,8 +239,16 @@ impl ProcState { let mut reader = BufReader::new(certfile); // This function does not return specific errors, if it fails give a generic message. - if let Err(_err) = root_cert_store.add_pem_file(&mut reader) { - return Err(anyhow!("Unable to add pem file to certificate store")); + match rustls_pemfile::certs(&mut reader) { + Ok(certs) => { + root_cert_store.add_parsable_certificates(&certs); + } + Err(e) => { + return Err(anyhow!( + "Unable to add pem file to certificate store: {}", + e + )); + } } } diff --git a/cli/standalone.rs b/cli/standalone.rs index 92e7dfbae0b36..208c7a7ce0346 100644 --- a/cli/standalone.rs +++ b/cli/standalone.rs @@ -28,6 +28,7 @@ use deno_runtime::worker::MainWorker; use deno_runtime::worker::WorkerOptions; use deno_runtime::BootstrapOptions; use deno_tls::create_default_root_cert_store; +use deno_tls::rustls_pemfile; use log::Level; use std::env::current_exe; use std::fs::File; @@ -222,8 +223,16 @@ pub async fn run( if let Some(cert) = metadata.ca_data { let reader = &mut BufReader::new(Cursor::new(cert)); // This function does not return specific errors, if it fails give a generic message. - if let Err(_err) = root_cert_store.add_pem_file(reader) { - return Err(anyhow!("Unable to add pem file to certificate store")); + match rustls_pemfile::certs(reader) { + Ok(certs) => { + root_cert_store.add_parsable_certificates(&certs); + } + Err(e) => { + return Err(anyhow!( + "Unable to add pem file to certificate store: {}", + e + )); + } } } diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml index ceb279d394ee4..25ea3bb5d761d 100644 --- a/ext/tls/Cargo.toml +++ b/ext/tls/Cargo.toml @@ -18,7 +18,7 @@ deno_core = { version = "0.109.0", path = "../../core" } lazy_static = "1.4.0" reqwest = { version = "0.11.7", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] } rustls = { version = "0.20", features = ["dangerous_configuration"] } -rustls-native-certs = "0.5.0" +rustls-native-certs = "0.6.1" rustls-pemfile = "0.2.1" serde = { version = "1.0.129", features = ["derive"] } webpki = "0.22" diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 5970f10b1b4ff..bb408b2acfe83 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -3,6 +3,7 @@ pub use reqwest; pub use rustls; pub use rustls_native_certs; +pub use rustls_pemfile; pub use webpki; pub use webpki_roots; From 99f5c908cb2b881ade72a9a1e7aeae6e83a76210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 1 Dec 2021 18:43:17 +0100 Subject: [PATCH 09/17] maybe done? --- cli/tests/integration/mod.rs | 39 +++++++++++++++++++++--------------- ext/net/ops_tls.rs | 4 ++-- runtime/ops/http.rs | 2 +- 3 files changed, 26 insertions(+), 19 deletions(-) diff --git a/cli/tests/integration/mod.rs b/cli/tests/integration/mod.rs index cfb9509012f53..1ca7eac00e434 100644 --- a/cli/tests/integration/mod.rs +++ b/cli/tests/integration/mod.rs @@ -5,7 +5,7 @@ use deno_core::url; use deno_runtime::deno_fetch::reqwest; use deno_runtime::deno_net::ops_tls::TlsStream; use deno_runtime::deno_tls::rustls; -use deno_runtime::deno_tls::webpki; +use deno_runtime::deno_tls::rustls_pemfile; use std::fs; use std::io::BufReader; use std::io::Cursor; @@ -1149,26 +1149,30 @@ async fn listen_tls_alpn() { let msg = std::str::from_utf8(&buffer).unwrap(); assert_eq!(msg, "READY"); - let mut cfg = rustls::ClientConfig::new(); - let reader = &mut BufReader::new(Cursor::new(include_bytes!( + let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" ))); - cfg.root_store.add_pem_file(reader).unwrap(); + let certs = rustls_pemfile::certs(&mut reader).unwrap(); + let mut root_store = rustls::RootCertStore::empty(); + root_store.add_parsable_certificates(&certs); + let mut cfg = rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(root_store) + .with_no_client_auth(); cfg.alpn_protocols.push("foobar".as_bytes().to_vec()); let cfg = Arc::new(cfg); - let hostname = - webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap(); + let hostname = rustls::ServerName::try_from("localhost").unwrap(); let tcp_stream = tokio::net::TcpStream::connect("localhost:4504") .await .unwrap(); let mut tls_stream = - TlsStream::new_client_side(tcp_stream, &cfg, hostname); + TlsStream::new_client_side(tcp_stream, cfg, hostname); tls_stream.handshake().await.unwrap(); let (_, session) = tls_stream.get_ref(); - let alpn = session.get_alpn_protocol().unwrap(); + let alpn = session.alpn_protocol().unwrap(); assert_eq!(std::str::from_utf8(alpn).unwrap(), "foobar"); child.kill().unwrap(); @@ -1202,26 +1206,29 @@ async fn listen_tls_alpn_fail() { let msg = std::str::from_utf8(&buffer).unwrap(); assert_eq!(msg, "READY"); - let mut cfg = rustls::ClientConfig::new(); - let reader = &mut BufReader::new(Cursor::new(include_bytes!( + let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" ))); - cfg.root_store.add_pem_file(reader).unwrap(); + let certs = rustls_pemfile::certs(&mut reader).unwrap(); + let mut root_store = rustls::RootCertStore::empty(); + root_store.add_parsable_certificates(&certs); + let mut cfg = rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(root_store) + .with_no_client_auth(); cfg.alpn_protocols.push("boofar".as_bytes().to_vec()); let cfg = Arc::new(cfg); - let hostname = - webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap(); - + let hostname = rustls::ServerName::try_from("localhost").unwrap(); let tcp_stream = tokio::net::TcpStream::connect("localhost:4505") .await .unwrap(); let mut tls_stream = - TlsStream::new_client_side(tcp_stream, &cfg, hostname); + TlsStream::new_client_side(tcp_stream, cfg, hostname); tls_stream.handshake().await.unwrap(); let (_, session) = tls_stream.get_ref(); - assert!(session.get_alpn_protocol().is_none()); + assert!(session.alpn_protocol().is_none()); child.kill().unwrap(); child.wait().unwrap(); diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index 237f42c7381c0..054b4ee0faaa1 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -135,9 +135,9 @@ impl TlsStream { (rd, wr) } - pub fn get_ref(&self) -> &TcpStream { + pub fn get_ref(&self) -> (&TcpStream, &Connection) { let inner = self.0.as_ref().unwrap(); - &inner.tcp + (&inner.tcp, &inner.tls) } fn inner_mut(&mut self) -> &mut TlsStreamInner { diff --git a/runtime/ops/http.rs b/runtime/ops/http.rs index 40b39470e476f..fddac92612737 100644 --- a/runtime/ops/http.rs +++ b/runtime/ops/http.rs @@ -41,7 +41,7 @@ fn op_http_start( .expect("Only a single use of this resource should happen"); let (read_half, write_half) = resource.into_inner(); let tls_stream = read_half.reunite(write_half); - let addr = tls_stream.get_ref().local_addr()?; + let addr = tls_stream.get_ref().0.local_addr()?; return http_create_conn_resource(state, tls_stream, addr, "https"); } From 3d21610690445b0c709c1b7bd26552cb15b7fd8c Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Wed, 1 Dec 2021 17:18:06 -0500 Subject: [PATCH 10/17] fix integration::localhost_unsafe_ssl --- cli/tests/testdata/localhost_unsafe_ssl.ts.out | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/tests/testdata/localhost_unsafe_ssl.ts.out b/cli/tests/testdata/localhost_unsafe_ssl.ts.out index 66c19941753cb..0bfaeb25d1be0 100644 --- a/cli/tests/testdata/localhost_unsafe_ssl.ts.out +++ b/cli/tests/testdata/localhost_unsafe_ssl.ts.out @@ -1,3 +1,3 @@ DANGER: TLS certificate validation is disabled for: deno.land -error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid certificate: UnknownIssuer +error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer at file:///[WILDCARD]/cafile_url_imports.ts:[WILDCARD] From f2bc3f868773cee0f0161b6f923ebbc5a42af6f5 Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Wed, 1 Dec 2021 17:16:12 -0800 Subject: [PATCH 11/17] partial fix --- ext/net/ops_tls.rs | 61 +++++++++++++++++----------------------------- 1 file changed, 23 insertions(+), 38 deletions(-) diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index 054b4ee0faaa1..e53b00875feec 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -305,54 +305,39 @@ impl TlsStreamInner { _ => break true, } + // Interpret and decrypt unprocessed TLS protocol data. if self.rd_state < State::TlsClosed { - // Do a zero-length plaintext read so we can detect the arrival of - // 'CloseNotify' messages, even if only the write half is open. - // Actually reading data from the socket is done in `poll_read()`. - match self.tls.reader().read(&mut []) { - Ok(0) => {} - Err(err) if err.kind() == ErrorKind::ConnectionAborted => { - // `Session::read()` returns `ConnectionAborted` when a - // 'CloseNotify' alert has been received, which indicates that - // the remote peer wants to gracefully end the TLS session. + match self.tls.process_new_packets() { + Ok(r) if r.plaintext_bytes_to_read() > 0 => continue, + Ok(r) if r.peer_has_closed() => { self.rd_state = State::TlsClosed; continue; } - Err(err) => return Poll::Ready(Err(err)), - _ => unreachable!(), + Ok(_) => {} + Err(err) => { + self.rd_state = State::TlsError; + return Poll::Ready(Err(Error::new(ErrorKind::InvalidData, err))); + } } } - if self.rd_state != State::TlsError { - // Receive ciphertext from the socket. - let mut wrapped_tcp = ImplementReadTrait(&mut self.tcp); - match self.tls.read_tls(&mut wrapped_tcp) { - Ok(0) => { - // End of TCP stream. - self.rd_state = State::TcpClosed; - continue; - } - Err(err) if err.kind() == ErrorKind::WouldBlock => { - // Get notified when more ciphertext becomes available in the - // socket receive buffer. - if self.tcp.poll_read_ready(cx)?.is_pending() { - break false; - } else { - continue; - } - } - Err(err) => return Poll::Ready(Err(err)), - _ => {} + // Try to read more TLS protocol data from the TCP socket. + let mut wrapped_tcp = ImplementReadTrait(&mut self.tcp); + match self.tls.read_tls(&mut wrapped_tcp) { + Ok(0) => { + // End of TCP stream. + self.rd_state = State::TcpClosed; + continue; } + Ok(_) => continue, + Err(err) if err.kind() == ErrorKind::WouldBlock => {} + Err(err) => return Poll::Ready(Err(err)), } - // Interpret and decrypt TLS protocol data. - match self.tls.process_new_packets() { - Ok(_) => assert!(self.rd_state < State::TcpClosed), - Err(err) => { - self.rd_state = State::TlsError; - return Poll::Ready(Err(Error::new(ErrorKind::InvalidData, err))); - } + // Get notified when more ciphertext becomes available to read from the + // TCP socket. + if self.tcp.poll_read_ready(cx)?.is_pending() { + break false; } }; From 9b219251b5a8fdcdd4825edf1ab5316db3970e03 Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Thu, 2 Dec 2021 17:58:23 -0800 Subject: [PATCH 12/17] finish state machine fix --- ext/net/ops_tls.rs | 59 +++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index e53b00875feec..12425bdc92cfa 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -89,7 +89,6 @@ enum State { StreamClosed, TlsClosing, TlsClosed, - TlsError, TcpClosed, } @@ -97,7 +96,9 @@ enum State { pub struct TlsStream(Option); impl TlsStream { - fn new(tcp: TcpStream, tls: Connection) -> Self { + fn new(tcp: TcpStream, mut tls: Connection) -> Self { + tls.set_buffer_limit(None); + let inner = TlsStreamInner { tcp, tls, @@ -112,18 +113,16 @@ impl TlsStream { tls_config: Arc, server_name: ServerName, ) -> Self { - let tls = Connection::Client( - ClientConnection::new(tls_config, server_name).unwrap(), - ); - Self::new(tcp, tls) + let tls = ClientConnection::new(tls_config, server_name).unwrap(); + Self::new(tcp, Connection::Client(tls)) } pub fn new_server_side( tcp: TcpStream, tls_config: Arc, ) -> Self { - let tls = Connection::Server(ServerConnection::new(tls_config).unwrap()); - Self::new(tcp, tls) + let tls = ServerConnection::new(tls_config).unwrap(); + Self::new(tcp, Connection::Server(tls)) } fn into_split(self) -> (ReadHalf, WriteHalf) { @@ -235,7 +234,7 @@ impl TlsStreamInner { State::StreamOpen if !self.tls.wants_write() => break true, State::StreamClosed => { // Rustls will enqueue the 'CloseNotify' alert and send it after - // flusing the data that is already in the queue. + // flushing the data that is already in the queue. self.tls.send_close_notify(); self.wr_state = State::TlsClosing; continue; @@ -278,19 +277,30 @@ impl TlsStreamInner { }; let rd_ready = loop { + // Interpret and decrypt unprocessed TLS protocol data. + let tls_state = self + .tls + .process_new_packets() + .map_err(|e| Error::new(ErrorKind::InvalidData, e))?; + match self.rd_state { State::TcpClosed if self.tls.is_handshaking() => { let err = Error::new(ErrorKind::UnexpectedEof, "tls handshake eof"); return Poll::Ready(Err(err)); } - State::TlsError => {} _ if self.tls.is_handshaking() && !self.tls.wants_read() => { break true; } _ if self.tls.is_handshaking() => {} - State::StreamOpen if !self.tls.wants_read() => break true, + State::StreamOpen if tls_state.plaintext_bytes_to_read() > 0 => { + break true; + } + State::StreamOpen if tls_state.peer_has_closed() => { + self.rd_state = State::TlsClosed; + continue; + } State::StreamOpen => {} - State::StreamClosed if !self.tls.wants_read() => { + State::StreamClosed if tls_state.plaintext_bytes_to_read() > 0 => { // Rustls has more incoming cleartext buffered up, but the TLS // session is closing so this data will never be processed by the // application layer. Just like what would happen if this were a raw @@ -299,33 +309,18 @@ impl TlsStreamInner { } State::StreamClosed => {} State::TlsClosed if self.wr_state == State::TcpClosed => { - // Wait for the remote end to gracefully close the TCP connection. - // TODO(piscisaureus): this is unnecessary; remove when stable. - } - _ => break true, - } - - // Interpret and decrypt unprocessed TLS protocol data. - if self.rd_state < State::TlsClosed { - match self.tls.process_new_packets() { - Ok(r) if r.plaintext_bytes_to_read() > 0 => continue, - Ok(r) if r.peer_has_closed() => { - self.rd_state = State::TlsClosed; - continue; - } - Ok(_) => {} - Err(err) => { - self.rd_state = State::TlsError; - return Poll::Ready(Err(Error::new(ErrorKind::InvalidData, err))); - } + // Keep trying to read from the TCP connection until the remote end + // closes it gracefully. } + State::TlsClosed => break true, + State::TcpClosed => break true, + _ => unreachable!(), } // Try to read more TLS protocol data from the TCP socket. let mut wrapped_tcp = ImplementReadTrait(&mut self.tcp); match self.tls.read_tls(&mut wrapped_tcp) { Ok(0) => { - // End of TCP stream. self.rd_state = State::TcpClosed; continue; } From 77e4947c96be53cb1d9ff87796becf4993ceccaa Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Thu, 2 Dec 2021 18:10:16 -0800 Subject: [PATCH 13/17] clean up --- ext/net/ops_tls.rs | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index 12425bdc92cfa..65d46d13c7297 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -92,7 +92,6 @@ enum State { TcpClosed, } -//#[derive(Debug)] pub struct TlsStream(Option); impl TlsStream { @@ -134,6 +133,8 @@ impl TlsStream { (rd, wr) } + /// Tokio-rustls compatibility: returns a reference to the underlying TCP + /// stream, and a reference to the Rustls `Connection` object. pub fn get_ref(&self) -> (&TcpStream, &Connection) { let inner = self.0.as_ref().unwrap(); (&inner.tcp, &inner.tls) @@ -210,7 +211,6 @@ impl Drop for TlsStream { } } -// #[derive(Debug)] pub struct TlsStreamInner { tls: Connection, tcp: TcpStream, @@ -451,7 +451,6 @@ impl TlsStreamInner { } } -// #[derive(Debug)] pub struct ReadHalf { shared: Arc, } @@ -482,7 +481,6 @@ impl AsyncRead for ReadHalf { } } -// #[derive(Debug)] pub struct WriteHalf { shared: Arc, } @@ -536,7 +534,6 @@ impl AsyncWrite for WriteHalf { } } -// #[derive(Debug)] struct Shared { tls_stream: Mutex, rd_waker: AtomicWaker, From fdef8bd22a334350d875280b0a168390af47f852 Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Fri, 3 Dec 2021 16:09:06 -0800 Subject: [PATCH 14/17] Fix ALPN tests --- cli/tests/integration/mod.rs | 40 ++++++++++------------ cli/tests/testdata/listen_tls_alpn.ts | 8 +++-- cli/tests/testdata/listen_tls_alpn_fail.ts | 24 +++++++++++++ 3 files changed, 48 insertions(+), 24 deletions(-) create mode 100644 cli/tests/testdata/listen_tls_alpn_fail.ts diff --git a/cli/tests/integration/mod.rs b/cli/tests/integration/mod.rs index 1ca7eac00e434..65fc5d0f8caea 100644 --- a/cli/tests/integration/mod.rs +++ b/cli/tests/integration/mod.rs @@ -1143,11 +1143,10 @@ async fn listen_tls_alpn() { .spawn() .unwrap(); let stdout = child.stdout.as_mut().unwrap(); - let mut buffer = [0; 5]; - let read = stdout.read(&mut buffer).unwrap(); + let mut msg = [0; 5]; + let read = stdout.read(&mut msg).unwrap(); assert_eq!(read, 5); - let msg = std::str::from_utf8(&buffer).unwrap(); - assert_eq!(msg, "READY"); + assert_eq!(&msg, b"READY"); let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" @@ -1159,7 +1158,7 @@ async fn listen_tls_alpn() { .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth(); - cfg.alpn_protocols.push("foobar".as_bytes().to_vec()); + cfg.alpn_protocols.push(b"foobar".to_vec()); let cfg = Arc::new(cfg); let hostname = rustls::ServerName::try_from("localhost").unwrap(); @@ -1170,13 +1169,13 @@ async fn listen_tls_alpn() { let mut tls_stream = TlsStream::new_client_side(tcp_stream, cfg, hostname); tls_stream.handshake().await.unwrap(); - let (_, session) = tls_stream.get_ref(); - let alpn = session.alpn_protocol().unwrap(); - assert_eq!(std::str::from_utf8(alpn).unwrap(), "foobar"); + let (_, rustls_connection) = tls_stream.get_ref(); + let alpn = rustls_connection.alpn_protocol().unwrap(); + assert_eq!(alpn, b"foobar"); - child.kill().unwrap(); - child.wait().unwrap(); + let status = child.wait().unwrap(); + assert!(status.success()); }) .await; } @@ -1194,17 +1193,16 @@ async fn listen_tls_alpn_fail() { .arg("--quiet") .arg("--allow-net") .arg("--allow-read") - .arg("./listen_tls_alpn.ts") + .arg("./listen_tls_alpn_fail.ts") .arg("4505") .stdout(std::process::Stdio::piped()) .spawn() .unwrap(); let stdout = child.stdout.as_mut().unwrap(); - let mut buffer = [0; 5]; - let read = stdout.read(&mut buffer).unwrap(); + let mut msg = [0; 5]; + let read = stdout.read(&mut msg).unwrap(); assert_eq!(read, 5); - let msg = std::str::from_utf8(&buffer).unwrap(); - assert_eq!(msg, "READY"); + assert_eq!(&msg, b"READY"); let mut reader = &mut BufReader::new(Cursor::new(include_bytes!( "../testdata/tls/RootCA.crt" @@ -1216,7 +1214,7 @@ async fn listen_tls_alpn_fail() { .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth(); - cfg.alpn_protocols.push("boofar".as_bytes().to_vec()); + cfg.alpn_protocols.push(b"boofar".to_vec()); let cfg = Arc::new(cfg); let hostname = rustls::ServerName::try_from("localhost").unwrap(); @@ -1225,13 +1223,13 @@ async fn listen_tls_alpn_fail() { .unwrap(); let mut tls_stream = TlsStream::new_client_side(tcp_stream, cfg, hostname); - tls_stream.handshake().await.unwrap(); - let (_, session) = tls_stream.get_ref(); + tls_stream.handshake().await.unwrap_err(); - assert!(session.alpn_protocol().is_none()); + let (_, rustls_connection) = tls_stream.get_ref(); + assert!(rustls_connection.alpn_protocol().is_none()); - child.kill().unwrap(); - child.wait().unwrap(); + let status = child.wait().unwrap(); + assert!(status.success()); }) .await; } diff --git a/cli/tests/testdata/listen_tls_alpn.ts b/cli/tests/testdata/listen_tls_alpn.ts index 5d58065d99fc2..b3ade686ed22e 100644 --- a/cli/tests/testdata/listen_tls_alpn.ts +++ b/cli/tests/testdata/listen_tls_alpn.ts @@ -7,6 +7,8 @@ const listener = Deno.listenTls({ console.log("READY"); -for await (const conn of listener) { - conn.close(); -} +const conn = await listener.accept() as Deno.TlsConn; +await conn.handshake(); +conn.close(); + +listener.close(); diff --git a/cli/tests/testdata/listen_tls_alpn_fail.ts b/cli/tests/testdata/listen_tls_alpn_fail.ts new file mode 100644 index 0000000000000..039c6568764e5 --- /dev/null +++ b/cli/tests/testdata/listen_tls_alpn_fail.ts @@ -0,0 +1,24 @@ +import { + assertEquals, + assertRejects, + assertThrows, +} from "../../../test_util/std/testing/asserts.ts"; + +const listener = Deno.listenTls({ + port: Number(Deno.args[0]), + certFile: "./tls/localhost.crt", + keyFile: "./tls/localhost.key", + alpnProtocols: ["h2", "http/1.1", "foobar"], +}); + +console.log("READY"); + +const conn = await listener.accept() as Deno.TlsConn; +await assertRejects( + () => conn.handshake(), + Deno.errors.InvalidData, + "peer doesn't support any known protocol", +); +conn.close(); + +listener.close(); From 92f26ea9c924601f68680152dcb2d775df7a9b5f Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Fri, 3 Dec 2021 16:17:41 -0800 Subject: [PATCH 15/17] lint --- cli/tests/integration/mod.rs | 3 +++ cli/tests/testdata/listen_tls_alpn_fail.ts | 6 +----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cli/tests/integration/mod.rs b/cli/tests/integration/mod.rs index 65fc5d0f8caea..9cd1b2c11d748 100644 --- a/cli/tests/integration/mod.rs +++ b/cli/tests/integration/mod.rs @@ -1168,6 +1168,7 @@ async fn listen_tls_alpn() { .unwrap(); let mut tls_stream = TlsStream::new_client_side(tcp_stream, cfg, hostname); + tls_stream.handshake().await.unwrap(); let (_, rustls_connection) = tls_stream.get_ref(); @@ -1218,11 +1219,13 @@ async fn listen_tls_alpn_fail() { let cfg = Arc::new(cfg); let hostname = rustls::ServerName::try_from("localhost").unwrap(); + let tcp_stream = tokio::net::TcpStream::connect("localhost:4505") .await .unwrap(); let mut tls_stream = TlsStream::new_client_side(tcp_stream, cfg, hostname); + tls_stream.handshake().await.unwrap_err(); let (_, rustls_connection) = tls_stream.get_ref(); diff --git a/cli/tests/testdata/listen_tls_alpn_fail.ts b/cli/tests/testdata/listen_tls_alpn_fail.ts index 039c6568764e5..04f9ec11f59fe 100644 --- a/cli/tests/testdata/listen_tls_alpn_fail.ts +++ b/cli/tests/testdata/listen_tls_alpn_fail.ts @@ -1,8 +1,4 @@ -import { - assertEquals, - assertRejects, - assertThrows, -} from "../../../test_util/std/testing/asserts.ts"; +import { assertRejects } from "../../../test_util/std/testing/asserts.ts"; const listener = Deno.listenTls({ port: Number(Deno.args[0]), From 8aaefb7fa2b0028d29438fc28949c1084a8489ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Sat, 4 Dec 2021 14:02:49 +0100 Subject: [PATCH 16/17] reorganize duplicated code --- ext/tls/lib.rs | 74 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 5e11f25385bb9..bcaf0f1be12d6 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -67,7 +67,9 @@ impl ServerCertVerifier for NoCertificateVerification { ) } } else { - todo!() + // NOTE(bartlomieju): `ServerName` is a non-exhaustive enum + // so we have this catch all error here. + Err(Error::General("Unknown `ServerName` variant".to_string())) } } } @@ -133,27 +135,42 @@ pub fn create_client_config( unsafely_ignore_certificate_errors: Option>, client_cert_chain_and_key: Option<(String, String)>, ) -> Result { - let b = ClientConfig::builder().with_safe_defaults(); + let maybe_cert_chain_and_key = + if let Some((cert_chain, private_key)) = client_cert_chain_and_key { + // The `remove` is safe because load_private_keys checks that there is at least one key. + let private_key = load_private_keys(private_key.as_bytes())?.remove(0); + let cert_chain = load_certs(&mut cert_chain.as_bytes())?; + Some((cert_chain, private_key)) + } else { + None + }; if let Some(ic_allowlist) = unsafely_ignore_certificate_errors { - let b = b.with_custom_certificate_verifier(Arc::new( - NoCertificateVerification(ic_allowlist), - )); - - // TODO(ry) DUPLICATED CODE HERE. - Ok( - if let Some((cert_chain, private_key)) = client_cert_chain_and_key { - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); - - b.with_single_cert(load_certs(&mut cert_chain.as_bytes())?, private_key) + let client_config = ClientConfig::builder() + .with_safe_defaults() + .with_custom_certificate_verifier(Arc::new(NoCertificateVerification( + ic_allowlist, + ))); + + // NOTE(bartlomieju): this if/else is duplicated at the end of the body of this function. + // However it's not really feasible to deduplicate it as the `client_config` instances + // are not type-compatible - one wants "client cert", the other wants "transparency policy + // or client cert". + let client = + if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key { + client_config + .with_single_cert(cert_chain, private_key) .expect("invalid client key or certificate") } else { - b.with_no_client_auth() - }, - ) - } else { - let b = b.with_root_certificates({ + client_config.with_no_client_auth() + }; + + return Ok(client); + } + + let client_config = ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates({ let mut root_cert_store = root_cert_store.unwrap_or_else(create_default_root_cert_store); // If custom certs are specified, add them to the store @@ -175,19 +192,16 @@ pub fn create_client_config( root_cert_store }); - // TODO(ry) DUPLICATED CODE HERE. - Ok( - if let Some((cert_chain, private_key)) = client_cert_chain_and_key { - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); + let client = if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key + { + client_config + .with_single_cert(cert_chain, private_key) + .expect("invalid client key or certificate") + } else { + client_config.with_no_client_auth() + }; - b.with_single_cert(load_certs(&mut cert_chain.as_bytes())?, private_key) - .expect("invalid client key or certificate") - } else { - b.with_no_client_auth() - }, - ) - } + Ok(client) } pub fn load_certs( From 6f2e099743c7fbfe21624a2ccebe7bbe1183bc08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Tue, 7 Dec 2021 00:13:11 +0100 Subject: [PATCH 17/17] Bert's review --- cli/proc_state.rs | 1 - cli/standalone.rs | 1 - test_util/src/lib.rs | 3 ++- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/cli/proc_state.rs b/cli/proc_state.rs index 7d734b4152a73..220138e6f4cc5 100644 --- a/cli/proc_state.rs +++ b/cli/proc_state.rs @@ -238,7 +238,6 @@ impl ProcState { let certfile = File::open(&ca_file)?; let mut reader = BufReader::new(certfile); - // This function does not return specific errors, if it fails give a generic message. match rustls_pemfile::certs(&mut reader) { Ok(certs) => { root_cert_store.add_parsable_certificates(&certs); diff --git a/cli/standalone.rs b/cli/standalone.rs index 2417c1e73b9b6..47b0e2aa8fb11 100644 --- a/cli/standalone.rs +++ b/cli/standalone.rs @@ -222,7 +222,6 @@ pub async fn run( if let Some(cert) = metadata.ca_data { let reader = &mut BufReader::new(Cursor::new(cert)); - // This function does not return specific errors, if it fails give a generic message. match rustls_pemfile::certs(reader) { Ok(certs) => { root_cert_store.add_parsable_certificates(&certs); diff --git a/test_util/src/lib.rs b/test_util/src/lib.rs index 2b85d6cba59f1..3cae1d7e1385d 100644 --- a/test_util/src/lib.rs +++ b/test_util/src/lib.rs @@ -1,6 +1,7 @@ // Copyright 2018-2021 the Deno authors. All rights reserved. MIT license. // Usage: provide a port as argument to run hyper_hello benchmark server // otherwise this starts multiple servers on many ports for test endpoints. +use anyhow::anyhow; use futures::FutureExt; use futures::Stream; use futures::StreamExt; @@ -368,7 +369,7 @@ async fn get_tls_config( ) .with_single_cert(certs, PrivateKey(key)) .map_err(|e| { - eprintln!("Error setting cert: {:?}", e); + anyhow!("Error setting cert: {:?}", e); }) .unwrap();