Update all network-related dependencies to the latest versions (#34630)

* Update all network-related dependencies to the latest versions: * rustls * hyper * http * headers * tungstenite * async-tungstenite Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix panics with 1xx responses in WPT tests. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Use reported response length when calculating available ranges. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Remove unreachable match arm. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Clean up commented fragments in blob and file handlers. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Remove unreachable match arm. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix clippy warning. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Cleanup. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix up unit tests for dependency upgrades. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * Update aws-lc-sys to fix Windows builds. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Use ring instead of aws-lc-sys. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * embedding: Require embedder to initialize a rustls CryptoProvider. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * Disable aws-lc-rs pending OhOS build fixes. Signed-off-by: Josh Matthews <josh@joshmatthews.net> --------- Signed-off-by: Josh Matthews <josh@joshmatthews.net>
2025-08-06 14:10:11 +01:00 · 2025-01-08 00:47:58 -05:00 · 2025-01-08 00:47:58 -05:00 · 76e0a1872b
commit 76e0a1872b
parent 270df6e263
25 changed files with 1342 additions and 1050 deletions
--- a/components/net/connector.rs
+++ b/components/net/connector.rs
@ -9,14 +9,17 @@ use std::sync::{Arc, Mutex};
 use futures::task::{Context, Poll};
 use futures::Future;
 use http::uri::{Authority, Uri as Destination};
-use hyper::client::HttpConnector as HyperHttpConnector;
+use http_body_util::combinators::BoxBody;
+use hyper::body::Bytes;
 use hyper::rt::Executor;
-use hyper::service::Service;
-use hyper::{Body, Client};
 use hyper_rustls::HttpsConnector as HyperRustlsHttpsConnector;
+use hyper_util::client::legacy::connect::HttpConnector as HyperHttpConnector;
+use hyper_util::client::legacy::Client;
 use log::warn;
-use rustls::client::WebPkiVerifier;
-use rustls::{Certificate, ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
+use rustls::client::WebPkiServerVerifier;
+use rustls::{ClientConfig, RootCertStore};
+use rustls_pki_types::{CertificateDer, ServerName, UnixTime};
+use tower_service::Service;

 use crate::async_runtime::HANDLE;
 use crate::hosts::replace_host;
@ -80,10 +83,10 @@ pub type TlsConfig = ClientConfig;
 struct CertificateErrorOverrideManagerInternal {
    /// A mapping of certificates and their hosts, which have seen certificate errors.
    /// This is used to later create an override in this [CertificateErrorOverrideManager].
-    certificates_failing_to_verify: HashMap<ServerName, Certificate>,
+    certificates_failing_to_verify: HashMap<ServerName<'static>, CertificateDer<'static>>,
    /// A list of certificates that should be accepted despite encountering verification
    /// errors.
-    overrides: Vec<Certificate>,
+    overrides: Vec<CertificateDer<'static>>,
 }

 /// This data structure is used to track certificate verification errors and overrides.
@ -100,7 +103,7 @@ impl CertificateErrorOverrideManager {

    /// Add a certificate to this manager's list of certificates for which to ignore
    /// validation errors.
-    pub fn add_override(&self, certificate: &Certificate) {
+    pub fn add_override(&self, certificate: &CertificateDer<'static>) {
        self.0.lock().unwrap().overrides.push(certificate.clone());
    }

@ -110,9 +113,9 @@ impl CertificateErrorOverrideManager {
    pub(crate) fn remove_certificate_failing_verification(
        &self,
        host: &str,
-    ) -> Option<Certificate> {
+    ) -> Option<CertificateDer<'static>> {
        let server_name = match ServerName::try_from(host) {
-            Ok(name) => name,
+            Ok(name) => name.to_owned(),
            Err(error) => {
                warn!("Could not convert host string into RustTLS ServerName: {error:?}");
                return None;
@ -149,11 +152,12 @@ pub fn create_tls_config(
        override_manager,
    );
    rustls::ClientConfig::builder()
-        .with_safe_defaults()
+        .dangerous()
        .with_custom_certificate_verifier(Arc::new(verifier))
        .with_no_client_auth()
 }

+#[derive(Clone)]
 struct TokioExecutor {}

 impl<F> Executor<F> for TokioExecutor
@ -165,8 +169,9 @@ where
    }
 }

+#[derive(Debug)]
 struct CertificateVerificationOverrideVerifier {
-    webpki_verifier: WebPkiVerifier,
+    webpki_verifier: Arc<WebPkiServerVerifier>,
    ignore_certificate_errors: bool,
    override_manager: CertificateErrorOverrideManager,
 }
@ -178,18 +183,8 @@ impl CertificateVerificationOverrideVerifier {
        override_manager: CertificateErrorOverrideManager,
    ) -> Self {
        let root_cert_store = match ca_certficates {
-            CACertificates::Default => {
-                let mut root_cert_store = rustls::RootCertStore::empty();
-                root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
-                    |trust_anchor| {
-                        OwnedTrustAnchor::from_subject_spki_name_constraints(
-                            trust_anchor.subject,
-                            trust_anchor.spki,
-                            trust_anchor.name_constraints,
-                        )
-                    },
-                ));
-                root_cert_store
+            CACertificates::Default => rustls::RootCertStore {
+                roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
            },
            CACertificates::Override(root_cert_store) => root_cert_store,
        };
@ -197,28 +192,52 @@ impl CertificateVerificationOverrideVerifier {
        Self {
            // See https://github.com/rustls/rustls/blame/v/0.21.6/rustls/src/client/builder.rs#L141
            // This is the default verifier for Rustls that we are wrapping.
-            webpki_verifier: WebPkiVerifier::new(root_cert_store, None),
+            webpki_verifier: WebPkiServerVerifier::builder(root_cert_store.into())
+                .build()
+                .unwrap(),
            ignore_certificate_errors,
            override_manager,
        }
    }
 }

-impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerifier {
+impl rustls::client::danger::ServerCertVerifier for CertificateVerificationOverrideVerifier {
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        self.webpki_verifier
+            .verify_tls12_signature(message, cert, dss)
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        self.webpki_verifier
+            .verify_tls13_signature(message, cert, dss)
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        self.webpki_verifier.supported_verify_schemes()
+    }
+
    fn verify_server_cert(
        &self,
-        end_entity: &Certificate,
-        intermediates: &[Certificate],
-        server_name: &ServerName,
-        scts: &mut dyn Iterator<Item = &[u8]>,
+        end_entity: &CertificateDer<'_>,
+        intermediates: &[CertificateDer<'_>],
+        server_name: &ServerName<'_>,
        ocsp_response: &[u8],
-        now: std::time::SystemTime,
-    ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
+        now: UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        let error = match self.webpki_verifier.verify_server_cert(
            end_entity,
            intermediates,
            server_name,
-            scts,
            ocsp_response,
            now,
        ) {
@ -228,13 +247,13 @@ impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerif

        if self.ignore_certificate_errors {
            warn!("Ignoring certficate error: {error:?}");
-            return Ok(rustls::client::ServerCertVerified::assertion());
+            return Ok(rustls::client::danger::ServerCertVerified::assertion());
        }

        // If there's an override for this certificate, just accept it.
        for cert_with_exception in &*self.override_manager.0.lock().unwrap().overrides {
            if *end_entity == *cert_with_exception {
-                return Ok(rustls::client::ServerCertVerified::assertion());
+                return Ok(rustls::client::danger::ServerCertVerified::assertion());
            }
        }
        self.override_manager
@ -242,12 +261,14 @@ impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerif
            .lock()
            .unwrap()
            .certificates_failing_to_verify
-            .insert(server_name.clone(), end_entity.clone());
+            .insert(server_name.to_owned(), end_entity.clone().into_owned());
        Err(error)
    }
 }

-pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, Body> {
+pub type BoxedBody = BoxBody<Bytes, hyper::Error>;
+
+pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, BoxedBody> {
    let connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_tls_config(tls_config)
        .https_or_http()
@ -255,8 +276,7 @@ pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, Body> {
        .enable_http2()
        .wrap_connector(ServoHttpConnector::new());

-    Client::builder()
+    Client::builder(TokioExecutor {})
        .http1_title_case_headers(true)
-        .executor(TokioExecutor {})
        .build(connector)
 }