From c85a3cc117db760586c2f830e9e8b8a7a7f03a48 Mon Sep 17 00:00:00 2001 From: Mikayla Maki Date: Fri, 11 Oct 2024 18:18:09 -0700 Subject: [PATCH] Switch from OpenSSL to Rustls (#19104) This PR also includes a downgrade of our async_tungstenite version to 0.24 Release Notes: - N/A --- Cargo.lock | 148 ++++++++++---------- Cargo.toml | 6 +- crates/client/Cargo.toml | 3 +- crates/client/src/client.rs | 24 +++- crates/http_client/Cargo.toml | 2 - crates/http_client/src/http_client.rs | 19 +-- crates/reqwest_client/Cargo.toml | 2 +- crates/reqwest_client/src/reqwest_client.rs | 20 ++- 8 files changed, 118 insertions(+), 106 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d9eb21ee26..28f38a0d1e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -878,14 +878,15 @@ checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de" [[package]] name = "async-tls" -version = "0.13.0" +version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2ae3c9eba89d472a0e4fe1dea433df78fbbe63d2b764addaf2ba3a6bde89a5e" +checksum = "cfeefd0ca297cbbb3bd34fd6b228401c2a5177038257afd751bc29f0a2da4795" dependencies = [ "futures-core", "futures-io", - "rustls 0.21.12", + "rustls 0.20.9", "rustls-pemfile 1.0.4", + "webpki", "webpki-roots 0.22.6", ] @@ -902,9 +903,9 @@ dependencies = [ [[package]] name = "async-tungstenite" -version = "0.28.0" +version = "0.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90e661b6cb0a6eb34d02c520b052daa3aa9ac0cc02495c9d066bbce13ead132b" +checksum = "3609af4bbf701ddaf1f6bb4e6257dff4ff8932327d0e685d3f653724c258b1ac" dependencies = [ "async-std", "async-tls", @@ -912,7 +913,7 @@ dependencies = [ "futures-util", "log", "pin-project-lite", - "tungstenite 0.24.0", + "tungstenite 0.21.0", ] [[package]] @@ -1061,7 +1062,7 @@ dependencies = [ "fastrand 2.1.1", "hex", "http 0.2.12", - "ring", + "ring 0.17.8", "time", "tokio", "tracing", @@ -1230,7 +1231,7 @@ dependencies = [ "once_cell", "p256", "percent-encoding", - "ring", + "ring 0.17.8", "sha2", "subtle", "time", @@ -1575,7 +1576,7 @@ dependencies = [ "bitflags 2.6.0", "cexpr", "clang-sys", - "itertools 0.10.5", + "itertools 0.12.1", "lazy_static", "lazycell", "proc-macro2", @@ -2355,7 +2356,7 @@ dependencies = [ "clickhouse-rs-cityhash-sys", "futures 0.3.30", "hyper 0.14.30", - "hyper-tls 0.5.0", + "hyper-tls", "lz4", "sealed", "serde", @@ -2393,7 +2394,6 @@ dependencies = [ "anyhow", "async-native-tls", "async-recursion 0.3.2", - "async-tls", "async-tungstenite", "chrono", "clock", @@ -2411,6 +2411,8 @@ dependencies = [ "rand 0.8.5", "release_channel", "rpc", + "rustls 0.20.9", + "rustls-native-certs 0.8.0", "schemars", "serde", "serde_json", @@ -4376,7 +4378,7 @@ dependencies = [ "futures-core", "futures-sink", "nanorand", - "spin", + "spin 0.9.8", ] [[package]] @@ -5531,8 +5533,6 @@ dependencies = [ "futures 0.3.30", "http 1.1.0", "log", - "rustls 0.21.12", - "rustls-native-certs 0.8.0", "serde", "serde_json", "smol", @@ -5634,6 +5634,7 @@ dependencies = [ "hyper 1.4.1", "hyper-util", "rustls 0.23.13", + "rustls-native-certs 0.8.0", "rustls-pki-types", "tokio", "tokio-rustls 0.26.0", @@ -5653,22 +5654,6 @@ dependencies = [ "tokio-native-tls", ] -[[package]] -name = "hyper-tls" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" -dependencies = [ - "bytes 1.7.1", - "http-body-util", - "hyper 1.4.1", - "hyper-util", - "native-tls", - "tokio", - "tokio-native-tls", - "tower-service", -] - [[package]] name = "hyper-util" version = "0.1.9" @@ -6159,7 +6144,7 @@ dependencies = [ "base64 0.21.7", "js-sys", "pem", - "ring", + "ring 0.17.8", "serde", "serde_json", "simple_asn1", @@ -6410,7 +6395,7 @@ version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" dependencies = [ - "spin", + "spin 0.9.8", ] [[package]] @@ -6477,7 +6462,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -8763,7 +8748,7 @@ checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6" dependencies = [ "bytes 1.7.1", "rand 0.8.5", - "ring", + "ring 0.17.8", "rustc-hash 2.0.0", "rustls 0.23.13", "slab", @@ -9245,7 +9230,7 @@ dependencies = [ "http 0.2.12", "http-body 0.4.6", "hyper 0.14.30", - "hyper-tls 0.5.0", + "hyper-tls", "ipnet", "js-sys", "log", @@ -9286,18 +9271,17 @@ dependencies = [ "http-body-util", "hyper 1.4.1", "hyper-rustls 0.27.3", - "hyper-tls 0.6.0", "hyper-util", "ipnet", "js-sys", "log", "mime", - "native-tls", "once_cell", "percent-encoding", "pin-project-lite", "quinn", "rustls 0.23.13", + "rustls-native-certs 0.8.0", "rustls-pemfile 2.1.3", "rustls-pki-types", "serde", @@ -9306,7 +9290,6 @@ dependencies = [ "sync_wrapper 1.0.1", "system-configuration 0.6.1", "tokio", - "tokio-native-tls", "tokio-rustls 0.26.0", "tokio-util", "tower-service", @@ -9382,6 +9365,21 @@ dependencies = [ "util", ] +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin 0.5.2", + "untrusted 0.7.1", + "web-sys", + "winapi", +] + [[package]] name = "ring" version = "0.17.8" @@ -9392,8 +9390,8 @@ dependencies = [ "cfg-if", "getrandom 0.2.15", "libc", - "spin", - "untrusted", + "spin 0.9.8", + "untrusted 0.9.0", "windows-sys 0.52.0", ] @@ -9549,7 +9547,7 @@ dependencies = [ "futures 0.3.30", "glob", "rand 0.8.5", - "ring", + "ring 0.17.8", "serde", "serde_json", "shellexpand 3.1.0", @@ -9676,6 +9674,18 @@ dependencies = [ "rustix 0.38.35", ] +[[package]] +name = "rustls" +version = "0.20.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99" +dependencies = [ + "log", + "ring 0.16.20", + "sct", + "webpki", +] + [[package]] name = "rustls" version = "0.21.12" @@ -9683,7 +9693,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" dependencies = [ "log", - "ring", + "ring 0.17.8", "rustls-webpki 0.101.7", "sct", ] @@ -9695,7 +9705,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8" dependencies = [ "once_cell", - "ring", + "ring 0.17.8", "rustls-pki-types", "rustls-webpki 0.102.8", "subtle", @@ -9758,8 +9768,8 @@ version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring", - "untrusted", + "ring 0.17.8", + "untrusted 0.9.0", ] [[package]] @@ -9768,9 +9778,9 @@ version = "0.102.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" dependencies = [ - "ring", + "ring 0.17.8", "rustls-pki-types", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -9884,8 +9894,8 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring", - "untrusted", + "ring 0.17.8", + "untrusted 0.9.0", ] [[package]] @@ -10645,6 +10655,12 @@ dependencies = [ "smallvec", ] +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + [[package]] name = "spin" version = "0.9.8" @@ -12502,24 +12518,6 @@ dependencies = [ "utf-8", ] -[[package]] -name = "tungstenite" -version = "0.24.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18e5b8366ee7a95b16d32197d0b2604b43a0be89dc5fac9f8e96ccafbaedda8a" -dependencies = [ - "byteorder", - "bytes 1.7.1", - "data-encoding", - "http 1.1.0", - "httparse", - "log", - "rand 0.8.5", - "sha1", - "thiserror", - "utf-8", -] - [[package]] name = "typeid" version = "1.0.2" @@ -12678,6 +12676,12 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1766d682d402817b5ac4490b3c3002d91dfa0d22812f341609f97b08757359c" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" @@ -13125,9 +13129,9 @@ dependencies = [ [[package]] name = "wasm-streams" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b65dc4c90b63b118468cf747d8bf3566c1913ef60be765b5730ead9e0a3ba129" +checksum = "4e072d4e72f700fb3443d8fe94a39315df013eef1104903cdb0a2abd322bbecd" dependencies = [ "futures-util", "js-sys", @@ -13551,8 +13555,8 @@ version = "0.22.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" dependencies = [ - "ring", - "untrusted", + "ring 0.17.8", + "untrusted 0.9.0", ] [[package]] @@ -13700,7 +13704,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index f29d8041cc..ac66fe369f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -327,7 +327,7 @@ async-pipe = { git = "https://github.com/zed-industries/async-pipe-rs", rev = "8 async-recursion = "1.0.0" async-tar = "0.5.0" async-trait = "0.1" -async-tungstenite = "0.28" +async-tungstenite = "0.24" async-watch = "0.3.1" async_zip = { version = "0.0.17", features = ["deflate", "deflate64"] } base64 = "0.22" @@ -391,14 +391,14 @@ pulldown-cmark = { version = "0.12.0", default-features = false } rand = "0.8.5" regex = "1.5" repair_json = "0.1.0" -reqwest = { git = "https://github.com/zed-industries/reqwest.git", rev = "fd110f6998da16bbca97b6dddda9be7827c50e29" } +reqwest = { git = "https://github.com/zed-industries/reqwest.git", rev = "fd110f6998da16bbca97b6dddda9be7827c50e29", default-features = false, features = ["charset", "http2", "macos-system-configuration", "rustls-tls-native-roots", "stream"]} rsa = "0.9.6" runtimelib = { version = "0.15", default-features = false, features = [ "async-dispatcher-runtime", ] } rustc-demangle = "0.1.23" rust-embed = { version = "8.4", features = ["include-exclude"] } -rustls = "0.21.12" +rustls = "0.20.3" rustls-native-certs = "0.8.0" schemars = { version = "0.8", features = ["impl_json_schema"] } semver = "1.0" diff --git a/crates/client/Cargo.toml b/crates/client/Cargo.toml index c3fbea1f98..80e9a17ba8 100644 --- a/crates/client/Cargo.toml +++ b/crates/client/Cargo.toml @@ -18,7 +18,6 @@ test-support = ["clock/test-support", "collections/test-support", "gpui/test-sup [dependencies] anyhow.workspace = true async-recursion = "0.3" -async-tls = "0.13" async-tungstenite = { workspace = true, features = ["async-std", "async-tls"] } chrono = { workspace = true, features = ["serde"] } clock.workspace = true @@ -35,6 +34,8 @@ postage.workspace = true rand.workspace = true release_channel.workspace = true rpc = { workspace = true, features = ["gpui"] } +rustls-native-certs.workspace = true +rustls.workspace = true schemars.workspace = true serde.workspace = true serde_json.workspace = true diff --git a/crates/client/src/client.rs b/crates/client/src/client.rs index 03d81b117f..49f3ff4b14 100644 --- a/crates/client/src/client.rs +++ b/crates/client/src/client.rs @@ -1137,13 +1137,31 @@ impl Client { match url_scheme { Https => { + let client_config = { + let mut root_store = rustls::RootCertStore::empty(); + + let root_certs = rustls_native_certs::load_native_certs(); + for error in root_certs.errors { + log::warn!("error loading native certs: {:?}", error); + } + root_store.add_parsable_certificates( + &root_certs + .certs + .into_iter() + .map(|cert| cert.as_ref().to_owned()) + .collect::>(), + ); + rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(root_store) + .with_no_client_auth() + }; + let (stream, _) = async_tungstenite::async_tls::client_async_tls_with_connector( request, stream, - Some(async_tls::TlsConnector::from( - http_client::TLS_CONFIG.clone(), - )), + Some(client_config.into()), ) .await?; Ok(Connection::new( diff --git a/crates/http_client/Cargo.toml b/crates/http_client/Cargo.toml index e8585cff98..2156f4d37a 100644 --- a/crates/http_client/Cargo.toml +++ b/crates/http_client/Cargo.toml @@ -21,8 +21,6 @@ derive_more.workspace = true futures.workspace = true http = "1.1" log.workspace = true -rustls-native-certs.workspace = true -rustls.workspace = true serde.workspace = true serde_json.workspace = true smol.workspace = true diff --git a/crates/http_client/src/http_client.rs b/crates/http_client/src/http_client.rs index bf1046d88e..fb2a2a3cf9 100644 --- a/crates/http_client/src/http_client.rs +++ b/crates/http_client/src/http_client.rs @@ -12,7 +12,7 @@ use http::request::Builder; use std::fmt; use std::{ any::type_name, - sync::{Arc, LazyLock, Mutex}, + sync::{Arc, Mutex}, time::Duration, }; pub use url::Url; @@ -35,23 +35,6 @@ pub enum RedirectPolicy { } pub struct FollowRedirects(pub bool); -pub static TLS_CONFIG: LazyLock> = LazyLock::new(|| { - let mut root_store = rustls::RootCertStore::empty(); - - let root_certs = rustls_native_certs::load_native_certs(); - for error in root_certs.errors { - log::warn!("error loading native certs: {:?}", error); - } - root_store.add_parsable_certificates(&root_certs.certs); - - Arc::new( - rustls::ClientConfig::builder() - .with_safe_defaults() - .with_root_certificates(root_store) - .with_no_client_auth(), - ) -}); - pub trait HttpRequestExt { /// Set a read timeout on the request. /// For isahc, this is the low_speed_timeout. diff --git a/crates/reqwest_client/Cargo.toml b/crates/reqwest_client/Cargo.toml index 1246aa4eef..08a57ff4d7 100644 --- a/crates/reqwest_client/Cargo.toml +++ b/crates/reqwest_client/Cargo.toml @@ -28,7 +28,7 @@ serde.workspace = true smol.workspace = true log.workspace = true tokio = { workspace = true, features = ["rt", "rt-multi-thread"] } -reqwest = { workspace = true, features = ["rustls-tls-manual-roots", "stream"] } +reqwest.workspace = true [dev-dependencies] gpui.workspace = true diff --git a/crates/reqwest_client/src/reqwest_client.rs b/crates/reqwest_client/src/reqwest_client.rs index 7b0e66f2a5..67df21be3c 100644 --- a/crates/reqwest_client/src/reqwest_client.rs +++ b/crates/reqwest_client/src/reqwest_client.rs @@ -2,7 +2,7 @@ use std::{any::type_name, borrow::Cow, io::Read, mem, pin::Pin, sync::OnceLock, use anyhow::anyhow; use bytes::{BufMut, Bytes, BytesMut}; -use futures::{AsyncRead, TryStreamExt}; +use futures::{AsyncRead, TryStreamExt as _}; use http_client::{http, ReadTimeout, RedirectPolicy}; use reqwest::{ header::{HeaderMap, HeaderValue}, @@ -11,6 +11,7 @@ use reqwest::{ use smol::future::FutureExt; const DEFAULT_CAPACITY: usize = 4096; +static RUNTIME: OnceLock = OnceLock::new(); pub struct ReqwestClient { client: reqwest::Client, @@ -20,20 +21,29 @@ pub struct ReqwestClient { impl ReqwestClient { pub fn new() -> Self { - reqwest::Client::new().into() + reqwest::Client::builder() + .use_rustls_tls() + .build() + .expect("Failed to initialize HTTP client") + .into() } pub fn user_agent(agent: &str) -> anyhow::Result { let mut map = HeaderMap::new(); map.insert(http::header::USER_AGENT, HeaderValue::from_str(agent)?); - let client = reqwest::Client::builder().default_headers(map).build()?; + let client = reqwest::Client::builder() + .default_headers(map) + .use_rustls_tls() + .build()?; Ok(client.into()) } pub fn proxy_and_user_agent(proxy: Option, agent: &str) -> anyhow::Result { let mut map = HeaderMap::new(); map.insert(http::header::USER_AGENT, HeaderValue::from_str(agent)?); - let mut client = reqwest::Client::builder().default_headers(map); + let mut client = reqwest::Client::builder() + .use_rustls_tls() + .default_headers(map); if let Some(proxy) = proxy.clone() { client = client.proxy(reqwest::Proxy::all(proxy.to_string())?); } @@ -44,8 +54,6 @@ impl ReqwestClient { } } -static RUNTIME: OnceLock = OnceLock::new(); - impl From for ReqwestClient { fn from(client: reqwest::Client) -> Self { let handle = tokio::runtime::Handle::try_current().unwrap_or_else(|_| {