Skip to content

Commit

Permalink
Merge bitcoindevkit#132: Upgrade rustls to 0.23
Browse files Browse the repository at this point in the history
28b1aaa upgrade rustls to 0.23 (Nick Farrow)

Pull request description:

  With rustls 0.23 there is no longer a dependency on ring, allowing easier compilation for various targets.

  Not super confident with my updates to `ServerCertVerifier` and `Der` of certificates (is this being tested?), needs review.

ACKs for top commit:
  notmandatory:
    utACK 28b1aaa

Tree-SHA512: 6561c4d20d446d86ca7a6c04ddb5a8acb136756606c82ca00e9b4a1f0eb2a3b00120d6db475f14474a89ebaa2ad600208d51c777cb5aeed0dcf62335a84fee5a
  • Loading branch information
notmandatory committed May 27, 2024
2 parents 898f230 + 28b1aaa commit 1bbae7d
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 21 deletions.
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ serde_json = { version = "^1.0" }

# Optional dependencies
openssl = { version = "0.10", optional = true }
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
rustls = { version = "0.23", optional = true }
webpki-roots = { version = "0.25", optional = true }

byteorder = { version = "1.0", optional = true }
Expand Down
67 changes: 47 additions & 20 deletions src/raw_client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,15 @@ use bitcoin::{Script, Txid};

#[cfg(feature = "use-openssl")]
use openssl::ssl::{SslConnector, SslMethod, SslStream, SslVerifyMode};

#[cfg(all(
any(feature = "default", feature = "use-rustls"),
not(feature = "use-openssl")
))]
use rustls::{
ClientConfig, ClientConnection, OwnedTrustAnchor, RootCertStore, ServerName, StreamOwned,
pki_types::ServerName,
pki_types::{Der, TrustAnchor},
ClientConfig, ClientConnection, RootCertStore, StreamOwned,
};

#[cfg(any(feature = "default", feature = "proxy"))]
Expand Down Expand Up @@ -287,25 +290,48 @@ impl RawClient<ElectrumSslStream> {
not(feature = "use-openssl")
))]
mod danger {
use rustls;
use rustls::client::ServerCertVerified;
use rustls::{Certificate, Error, ServerName};
use std::time::SystemTime;
use raw_client::ServerName;
use rustls::client::danger::ServerCertVerified;
use rustls::pki_types::CertificateDer;
use rustls::pki_types::UnixTime;
use rustls::Error;

#[derive(Debug)]
pub struct NoCertificateVerification {}

impl rustls::client::ServerCertVerifier for NoCertificateVerification {
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &Certificate,
_intermediates: &[Certificate],
_end_entity: &CertificateDer,
_intermediates: &[CertificateDer],
_server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8],
_now: SystemTime,
_now: UnixTime,
) -> Result<ServerCertVerified, Error> {
Ok(ServerCertVerified::assertion())
}

fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &CertificateDer<'_>,
_dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
}

fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
vec![]
}
}
}

Expand Down Expand Up @@ -358,24 +384,25 @@ impl RawClient<ElectrumSslStream> {
) -> Result<Self, Error> {
use std::convert::TryFrom;

let builder = ClientConfig::builder().with_safe_defaults();
let builder = ClientConfig::builder();

let config = if validate_domain {
socket_addr.domain().ok_or(Error::MissingDomain)?;

let mut store = RootCertStore::empty();
store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.into_iter().map(|t| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
t.subject,
t.spki,
t.name_constraints,
)
}));
let store = webpki_roots::TLS_SERVER_ROOTS
.into_iter()
.map(|t| TrustAnchor {
subject: Der::from_slice(t.subject),
subject_public_key_info: Der::from_slice(t.spki),
name_constraints: t.name_constraints.map(|nc| Der::from_slice(nc)),
})
.collect::<RootCertStore>();

// TODO: cert pinning
builder.with_root_certificates(store).with_no_client_auth()
} else {
builder
.dangerous()
.with_custom_certificate_verifier(std::sync::Arc::new(
danger::NoCertificateVerification {},
))
Expand All @@ -385,7 +412,7 @@ impl RawClient<ElectrumSslStream> {
let domain = socket_addr.domain().unwrap_or("NONE").to_string();
let session = ClientConnection::new(
std::sync::Arc::new(config),
ServerName::try_from(domain.as_str())
ServerName::try_from(domain.clone())
.map_err(|_| Error::InvalidDNSNameError(domain.clone()))?,
)
.map_err(Error::CouldNotCreateConnection)?;
Expand Down

0 comments on commit 1bbae7d

Please sign in to comment.