mirror of
https://github.com/servo/servo.git
synced 2025-08-06 14:10:11 +01:00
Update all network-related dependencies to the latest versions (#34630)
* Update all network-related dependencies to the latest versions: * rustls * hyper * http * headers * tungstenite * async-tungstenite Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix panics with 1xx responses in WPT tests. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Use reported response length when calculating available ranges. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Remove unreachable match arm. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Clean up commented fragments in blob and file handlers. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Remove unreachable match arm. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix clippy warning. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Cleanup. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Fix up unit tests for dependency upgrades. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * Update aws-lc-sys to fix Windows builds. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * net: Use ring instead of aws-lc-sys. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * embedding: Require embedder to initialize a rustls CryptoProvider. Signed-off-by: Josh Matthews <josh@joshmatthews.net> * Disable aws-lc-rs pending OhOS build fixes. Signed-off-by: Josh Matthews <josh@joshmatthews.net> --------- Signed-off-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
parent
270df6e263
commit
76e0a1872b
25 changed files with 1342 additions and 1050 deletions
|
@ -9,14 +9,17 @@ use std::sync::{Arc, Mutex};
|
|||
use futures::task::{Context, Poll};
|
||||
use futures::Future;
|
||||
use http::uri::{Authority, Uri as Destination};
|
||||
use hyper::client::HttpConnector as HyperHttpConnector;
|
||||
use http_body_util::combinators::BoxBody;
|
||||
use hyper::body::Bytes;
|
||||
use hyper::rt::Executor;
|
||||
use hyper::service::Service;
|
||||
use hyper::{Body, Client};
|
||||
use hyper_rustls::HttpsConnector as HyperRustlsHttpsConnector;
|
||||
use hyper_util::client::legacy::connect::HttpConnector as HyperHttpConnector;
|
||||
use hyper_util::client::legacy::Client;
|
||||
use log::warn;
|
||||
use rustls::client::WebPkiVerifier;
|
||||
use rustls::{Certificate, ClientConfig, OwnedTrustAnchor, RootCertStore, ServerName};
|
||||
use rustls::client::WebPkiServerVerifier;
|
||||
use rustls::{ClientConfig, RootCertStore};
|
||||
use rustls_pki_types::{CertificateDer, ServerName, UnixTime};
|
||||
use tower_service::Service;
|
||||
|
||||
use crate::async_runtime::HANDLE;
|
||||
use crate::hosts::replace_host;
|
||||
|
@ -80,10 +83,10 @@ pub type TlsConfig = ClientConfig;
|
|||
struct CertificateErrorOverrideManagerInternal {
|
||||
/// A mapping of certificates and their hosts, which have seen certificate errors.
|
||||
/// This is used to later create an override in this [CertificateErrorOverrideManager].
|
||||
certificates_failing_to_verify: HashMap<ServerName, Certificate>,
|
||||
certificates_failing_to_verify: HashMap<ServerName<'static>, CertificateDer<'static>>,
|
||||
/// A list of certificates that should be accepted despite encountering verification
|
||||
/// errors.
|
||||
overrides: Vec<Certificate>,
|
||||
overrides: Vec<CertificateDer<'static>>,
|
||||
}
|
||||
|
||||
/// This data structure is used to track certificate verification errors and overrides.
|
||||
|
@ -100,7 +103,7 @@ impl CertificateErrorOverrideManager {
|
|||
|
||||
/// Add a certificate to this manager's list of certificates for which to ignore
|
||||
/// validation errors.
|
||||
pub fn add_override(&self, certificate: &Certificate) {
|
||||
pub fn add_override(&self, certificate: &CertificateDer<'static>) {
|
||||
self.0.lock().unwrap().overrides.push(certificate.clone());
|
||||
}
|
||||
|
||||
|
@ -110,9 +113,9 @@ impl CertificateErrorOverrideManager {
|
|||
pub(crate) fn remove_certificate_failing_verification(
|
||||
&self,
|
||||
host: &str,
|
||||
) -> Option<Certificate> {
|
||||
) -> Option<CertificateDer<'static>> {
|
||||
let server_name = match ServerName::try_from(host) {
|
||||
Ok(name) => name,
|
||||
Ok(name) => name.to_owned(),
|
||||
Err(error) => {
|
||||
warn!("Could not convert host string into RustTLS ServerName: {error:?}");
|
||||
return None;
|
||||
|
@ -149,11 +152,12 @@ pub fn create_tls_config(
|
|||
override_manager,
|
||||
);
|
||||
rustls::ClientConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.dangerous()
|
||||
.with_custom_certificate_verifier(Arc::new(verifier))
|
||||
.with_no_client_auth()
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
struct TokioExecutor {}
|
||||
|
||||
impl<F> Executor<F> for TokioExecutor
|
||||
|
@ -165,8 +169,9 @@ where
|
|||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
struct CertificateVerificationOverrideVerifier {
|
||||
webpki_verifier: WebPkiVerifier,
|
||||
webpki_verifier: Arc<WebPkiServerVerifier>,
|
||||
ignore_certificate_errors: bool,
|
||||
override_manager: CertificateErrorOverrideManager,
|
||||
}
|
||||
|
@ -178,18 +183,8 @@ impl CertificateVerificationOverrideVerifier {
|
|||
override_manager: CertificateErrorOverrideManager,
|
||||
) -> Self {
|
||||
let root_cert_store = match ca_certficates {
|
||||
CACertificates::Default => {
|
||||
let mut root_cert_store = rustls::RootCertStore::empty();
|
||||
root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
|
||||
|trust_anchor| {
|
||||
OwnedTrustAnchor::from_subject_spki_name_constraints(
|
||||
trust_anchor.subject,
|
||||
trust_anchor.spki,
|
||||
trust_anchor.name_constraints,
|
||||
)
|
||||
},
|
||||
));
|
||||
root_cert_store
|
||||
CACertificates::Default => rustls::RootCertStore {
|
||||
roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
|
||||
},
|
||||
CACertificates::Override(root_cert_store) => root_cert_store,
|
||||
};
|
||||
|
@ -197,28 +192,52 @@ impl CertificateVerificationOverrideVerifier {
|
|||
Self {
|
||||
// See https://github.com/rustls/rustls/blame/v/0.21.6/rustls/src/client/builder.rs#L141
|
||||
// This is the default verifier for Rustls that we are wrapping.
|
||||
webpki_verifier: WebPkiVerifier::new(root_cert_store, None),
|
||||
webpki_verifier: WebPkiServerVerifier::builder(root_cert_store.into())
|
||||
.build()
|
||||
.unwrap(),
|
||||
ignore_certificate_errors,
|
||||
override_manager,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerifier {
|
||||
impl rustls::client::danger::ServerCertVerifier for CertificateVerificationOverrideVerifier {
|
||||
fn verify_tls12_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
|
||||
self.webpki_verifier
|
||||
.verify_tls12_signature(message, cert, dss)
|
||||
}
|
||||
|
||||
fn verify_tls13_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
|
||||
self.webpki_verifier
|
||||
.verify_tls13_signature(message, cert, dss)
|
||||
}
|
||||
|
||||
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
|
||||
self.webpki_verifier.supported_verify_schemes()
|
||||
}
|
||||
|
||||
fn verify_server_cert(
|
||||
&self,
|
||||
end_entity: &Certificate,
|
||||
intermediates: &[Certificate],
|
||||
server_name: &ServerName,
|
||||
scts: &mut dyn Iterator<Item = &[u8]>,
|
||||
end_entity: &CertificateDer<'_>,
|
||||
intermediates: &[CertificateDer<'_>],
|
||||
server_name: &ServerName<'_>,
|
||||
ocsp_response: &[u8],
|
||||
now: std::time::SystemTime,
|
||||
) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
|
||||
now: UnixTime,
|
||||
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
|
||||
let error = match self.webpki_verifier.verify_server_cert(
|
||||
end_entity,
|
||||
intermediates,
|
||||
server_name,
|
||||
scts,
|
||||
ocsp_response,
|
||||
now,
|
||||
) {
|
||||
|
@ -228,13 +247,13 @@ impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerif
|
|||
|
||||
if self.ignore_certificate_errors {
|
||||
warn!("Ignoring certficate error: {error:?}");
|
||||
return Ok(rustls::client::ServerCertVerified::assertion());
|
||||
return Ok(rustls::client::danger::ServerCertVerified::assertion());
|
||||
}
|
||||
|
||||
// If there's an override for this certificate, just accept it.
|
||||
for cert_with_exception in &*self.override_manager.0.lock().unwrap().overrides {
|
||||
if *end_entity == *cert_with_exception {
|
||||
return Ok(rustls::client::ServerCertVerified::assertion());
|
||||
return Ok(rustls::client::danger::ServerCertVerified::assertion());
|
||||
}
|
||||
}
|
||||
self.override_manager
|
||||
|
@ -242,12 +261,14 @@ impl rustls::client::ServerCertVerifier for CertificateVerificationOverrideVerif
|
|||
.lock()
|
||||
.unwrap()
|
||||
.certificates_failing_to_verify
|
||||
.insert(server_name.clone(), end_entity.clone());
|
||||
.insert(server_name.to_owned(), end_entity.clone().into_owned());
|
||||
Err(error)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, Body> {
|
||||
pub type BoxedBody = BoxBody<Bytes, hyper::Error>;
|
||||
|
||||
pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, BoxedBody> {
|
||||
let connector = hyper_rustls::HttpsConnectorBuilder::new()
|
||||
.with_tls_config(tls_config)
|
||||
.https_or_http()
|
||||
|
@ -255,8 +276,7 @@ pub fn create_http_client(tls_config: TlsConfig) -> Client<Connector, Body> {
|
|||
.enable_http2()
|
||||
.wrap_connector(ServoHttpConnector::new());
|
||||
|
||||
Client::builder()
|
||||
Client::builder(TokioExecutor {})
|
||||
.http1_title_case_headers(true)
|
||||
.executor(TokioExecutor {})
|
||||
.build(connector)
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue