From a4ccd6fba2d2cc0ddf07c93263a87d2cdb7077c6 Mon Sep 17 00:00:00 2001 From: Eliza Weisman Date: Mon, 11 Sep 2023 11:03:52 -0700 Subject: [PATCH 1/2] use `rustls-webpki` instead of `linkerd/webpki` (#2465) This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency. --- Cargo.lock | 16 +++++++++++++--- Cargo.toml | 3 ++- deny.toml | 9 ++++----- linkerd/meshtls/rustls/Cargo.toml | 2 +- linkerd/meshtls/rustls/src/creds/store.rs | 10 ++++++---- linkerd/meshtls/rustls/src/server.rs | 17 ++++++----------- 6 files changed, 32 insertions(+), 25 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 001c63f606..d156d3c112 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1380,11 +1380,11 @@ dependencies = [ "linkerd-tls-test-util", "ring", "rustls-pemfile", + "rustls-webpki", "thiserror", "tokio", "tokio-rustls", "tracing", - "webpki", ] [[package]] @@ -2434,6 +2434,15 @@ dependencies = [ "base64", ] +[[package]] +name = "rustls-webpki" +version = "0.101.5" +source = "git+https://github.com/cpu/webpki?rev=702d57f444e3f7d743277524e832a2363290ec4d#702d57f444e3f7d743277524e832a2363290ec4d" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.11" @@ -3114,8 +3123,9 @@ dependencies = [ [[package]] name = "webpki" -version = "0.22.0" -source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e" dependencies = [ "ring", "untrusted", diff --git a/Cargo.toml b/Cargo.toml index 7d7e797707..410e01bb43 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -82,6 +82,7 @@ debug = false lto = true [patch.crates-io] -webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" } boring = { git = "https://github.com/cloudflare/boring" } tokio-boring = { git = "https://github.com/cloudflare/boring" } +# remove this patch when https://github.com/rustls/webpki/pull/170 is published! +rustls-webpki = { git = "https://github.com/cpu/webpki", rev = "702d57f444e3f7d743277524e832a2363290ec4d" } diff --git a/deny.toml b/deny.toml index 0f3474b15a..c34a6157b9 100644 --- a/deny.toml +++ b/deny.toml @@ -69,9 +69,8 @@ skip-tree = [ unknown-registry = "deny" unknown-git = "deny" allow-registry = ["https://github.com/rust-lang/crates.io-index"] -allow-git = ["https://github.com/cloudflare/boring.git"] - -[sources.allow-org] -github = [ - "linkerd", +allow-git = [ + "https://github.com/cloudflare/boring.git", + # remove this when https://github.com/rustls/webpki/pull/170 is published! + "https://github.com/cpu/webpki", ] diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index 977f4cf899..7a01e3e5ba 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" } linkerd-tls-test-util = { path = "../../tls/test-util", optional = true } ring = { version = "0.16", features = ["std"] } rustls-pemfile = "1.0" +rustls-webpki = { version = "0.101.5", features = [ "std"] } thiserror = "1" tokio = { version = "1", features = ["macros", "rt", "sync"] } tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] } tracing = "0.1" -webpki = "0.22" [dev-dependencies] linkerd-tls-test-util = { path = "../../tls/test-util" } diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs index d744bbf20e..864222732b 100644 --- a/linkerd/meshtls/rustls/src/creds/store.rs +++ b/linkerd/meshtls/rustls/src/creds/store.rs @@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver { hello: rustls::server::ClientHello<'_>, ) -> Option> { let server_name = match hello.server_name() { - Some(name) => webpki::DnsNameRef::try_from_ascii_str(name) - .expect("server name must be a valid server name"), - + Some(name) => { + let name = webpki::DnsNameRef::try_from_ascii_str(name) + .expect("server name must be a valid server name"); + webpki::SubjectNameRef::DnsName(name) + } None => { debug!("no SNI -> no certificate"); return None; @@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver { // Verify that our certificate is valid for the given SNI name. let c = self.0.cert.first()?; if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref()) - .and_then(|c| c.verify_is_valid_for_dns_name(server_name)) + .and_then(|c| c.verify_is_valid_for_subject_name(server_name)) { debug!(%error, "Local certificate is not valid for SNI"); return None; diff --git a/linkerd/meshtls/rustls/src/server.rs b/linkerd/meshtls/rustls/src/server.rs index 2cdcb6a381..43b0e63652 100644 --- a/linkerd/meshtls/rustls/src/server.rs +++ b/linkerd/meshtls/rustls/src/server.rs @@ -130,18 +130,13 @@ fn client_identity(tls: &tokio_rustls::server::TlsStream) -> Option { - let s: &str = (*n).into(); - s.parse().ok().map(ClientId) - } - webpki::GeneralDnsNameRef::Wildcard(_) => { - // Wildcards can perhaps be handled in a future path... - None - } + let name: &str = end_cert.dns_names().ok()?.next().map(Into::into)?; + if name == "*" { + // Wildcards can perhaps be handled in a future path... + return None; } + + name.parse().ok().map(ClientId) } // === impl ServerIo === From 5c7d1f735d6f2f4960693a97fae3f655ae4224da Mon Sep 17 00:00:00 2001 From: Eliza Weisman Date: Mon, 18 Sep 2023 11:13:11 -0700 Subject: [PATCH 2/2] meshtls: use published `rustls-webpki` v0.101.5 (#2470) Now that [v0.101.5 of `rustls-webpki`][1] has been [published][2], we can now depend on the crate from crates.io. This allows us to remove the Git dependency on the branch preparing that release to be published, which allows us to remove the allowance for Git dependencies in the `cargo-deny` config. [1]: https://github.com/rustls/webpki/releases/tag/v%2F0.101.5 [2]: https://crates.io/crates/rustls-webpki/0.101.5 --- Cargo.lock | 3 ++- Cargo.toml | 2 -- deny.toml | 2 -- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d156d3c112..fd55154966 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2437,7 +2437,8 @@ dependencies = [ [[package]] name = "rustls-webpki" version = "0.101.5" -source = "git+https://github.com/cpu/webpki?rev=702d57f444e3f7d743277524e832a2363290ec4d#702d57f444e3f7d743277524e832a2363290ec4d" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45a27e3b59326c16e23d30aeb7a36a24cc0d29e71d68ff611cdfb4a01d013bed" dependencies = [ "ring", "untrusted", diff --git a/Cargo.toml b/Cargo.toml index 410e01bb43..ffd63c047a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -84,5 +84,3 @@ lto = true [patch.crates-io] boring = { git = "https://github.com/cloudflare/boring" } tokio-boring = { git = "https://github.com/cloudflare/boring" } -# remove this patch when https://github.com/rustls/webpki/pull/170 is published! -rustls-webpki = { git = "https://github.com/cpu/webpki", rev = "702d57f444e3f7d743277524e832a2363290ec4d" } diff --git a/deny.toml b/deny.toml index c34a6157b9..94ec1293c4 100644 --- a/deny.toml +++ b/deny.toml @@ -71,6 +71,4 @@ unknown-git = "deny" allow-registry = ["https://github.com/rust-lang/crates.io-index"] allow-git = [ "https://github.com/cloudflare/boring.git", - # remove this when https://github.com/rustls/webpki/pull/170 is published! - "https://github.com/cpu/webpki", ]