From 679673096254e108fa0d71f65bf8fa28ba9679f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Mon, 8 Jan 2024 18:28:00 +0100 Subject: [PATCH] [PM-4269] Use rustls on non-wasm platforms (#374) ## Type of change ``` - [ ] Bug fix - [x] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective Updated reqwest to use rustls on all platforms. We're also using rustls-platform-verifier where possible to load the CA certificates from the operating system store instead of including them in the binary. Note that WASM doesn't need a TLS stack as reqwest just uses the browser's `fetch` | | TLS Stack | CA Validator | Accepts self signed in OS root store | |---------|-----------|--------------------------|--------------------------------------| | Windows | RusTLS | ustls-platform-verifier | Yes | | Linux | RusTLS | rustls-platform-verifier (Native+WebPKI) | Yes | | Mac | RusTLS | rustls-platform-verifier (Native) | Yes | | Android | RusTLS | WebPKI | No | | iOS | RusTLS | rustls-platform-verifier (Native) | Yes | | WASM | fetch | fetch | Maybe, use browser config | --- Cargo.lock | 270 ++++++++++++++--------- about.toml | 5 + crates/bitwarden-api-api/Cargo.toml | 1 + crates/bitwarden-api-identity/Cargo.toml | 1 + crates/bitwarden-uniffi/Cargo.toml | 3 - crates/bitwarden/CHANGELOG.md | 4 + crates/bitwarden/Cargo.toml | 21 +- crates/bitwarden/src/client/client.rs | 14 +- crates/bws/CHANGELOG.md | 4 + crates/bws/Cargo.toml | 3 - crates/bws/Cross.toml | 6 - support/openapi-template/Cargo.mustache | 1 + 12 files changed, 213 insertions(+), 120 deletions(-) delete mode 100644 crates/bws/Cross.toml diff --git a/Cargo.lock b/Cargo.lock index ebf999c2c..4849ad02c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -351,6 +351,7 @@ dependencies = [ "rand_chacha 0.3.1", "reqwest", "rsa", + "rustls-platform-verifier", "schemars", "serde", "serde_json", @@ -454,7 +455,6 @@ dependencies = [ "bitwarden", "chrono", "env_logger", - "openssl", "schemars", "uniffi", ] @@ -546,7 +546,6 @@ dependencies = [ "directories", "env_logger", "log", - "openssl", "regex", "serde", "serde_json", @@ -633,6 +632,12 @@ dependencies = [ "libc", ] +[[package]] +name = "cesu8" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" + [[package]] name = "cfg-if" version = "1.0.0" @@ -758,6 +763,16 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" +[[package]] +name = "combine" +version = "4.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35ed6e9d84f0b51a7f52daf1c7d71dd136fd7a3f41a8462b8cdb8c78d920fad4" +dependencies = [ + "bytes", + "memchr", +] + [[package]] name = "comfy-table" version = "7.1.0" @@ -1140,21 +1155,6 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" -[[package]] -name = "foreign-types" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" -dependencies = [ - "foreign-types-shared", -] - -[[package]] -name = "foreign-types-shared" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" - [[package]] name = "form_urlencoded" version = "1.2.1" @@ -1522,16 +1522,17 @@ dependencies = [ ] [[package]] -name = "hyper-tls" -version = "0.5.0" +name = "hyper-rustls" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ - "bytes", + "futures-util", + "http", "hyper", - "native-tls", + "rustls", "tokio", - "tokio-native-tls", + "tokio-rustls", ] [[package]] @@ -1679,6 +1680,26 @@ version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" +[[package]] +name = "jni" +version = "0.19.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec" +dependencies = [ + "cesu8", + "combine", + "jni-sys", + "log", + "thiserror", + "walkdir", +] + +[[package]] +name = "jni-sys" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" + [[package]] name = "js-sys" version = "0.3.66" @@ -1694,7 +1715,7 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ - "spin", + "spin 0.5.2", ] [[package]] @@ -1900,24 +1921,6 @@ dependencies = [ "libloading", ] -[[package]] -name = "native-tls" -version = "0.2.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e" -dependencies = [ - "lazy_static", - "libc", - "log", - "openssl", - "openssl-probe", - "openssl-sys", - "schannel", - "security-framework", - "security-framework-sys", - "tempfile", -] - [[package]] name = "newline-converter" version = "0.2.2" @@ -2071,60 +2074,12 @@ dependencies = [ "pkg-config", ] -[[package]] -name = "openssl" -version = "0.10.61" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b8419dc8cc6d866deb801274bba2e6f8f6108c1bb7fcc10ee5ab864931dbb45" -dependencies = [ - "bitflags 2.4.1", - "cfg-if", - "foreign-types", - "libc", - "once_cell", - "openssl-macros", - "openssl-sys", -] - -[[package]] -name = "openssl-macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.47", -] - [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" -[[package]] -name = "openssl-src" -version = "300.2.1+3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fe476c29791a5ca0d1273c697e96085bbabbbea2ef7afd5617e78a4b40332d3" -dependencies = [ - "cc", -] - -[[package]] -name = "openssl-sys" -version = "0.9.97" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3eaad34cdd97d81de97964fc7f29e2d104f483840d906ef56daa1912338460b" -dependencies = [ - "cc", - "libc", - "openssl-src", - "pkg-config", - "vcpkg", -] - [[package]] name = "option-ext" version = "0.2.0" @@ -2573,27 +2528,29 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-tls", + "hyper-rustls", "ipnet", "js-sys", "log", "mime", "mime_guess", - "native-tls", "once_cell", "percent-encoding", "pin-project-lite", + "rustls", + "rustls-pemfile", "serde", "serde_json", "serde_urlencoded", "system-configuration", "tokio", - "tokio-native-tls", + "tokio-rustls", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", "web-sys", + "webpki-roots", "winreg", ] @@ -2612,6 +2569,20 @@ dependencies = [ "bytemuck", ] +[[package]] +name = "ring" +version = "0.17.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74" +dependencies = [ + "cc", + "getrandom 0.2.11", + "libc", + "spin 0.9.8", + "untrusted", + "windows-sys 0.48.0", +] + [[package]] name = "rsa" version = "0.9.6" @@ -2651,6 +2622,76 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rustls" +version = "0.21.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" +dependencies = [ + "log", + "ring", + "rustls-webpki", + "sct", +] + +[[package]] +name = "rustls-native-certs" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" +dependencies = [ + "openssl-probe", + "rustls-pemfile", + "schannel", + "security-framework", +] + +[[package]] +name = "rustls-pemfile" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +dependencies = [ + "base64 0.21.5", +] + +[[package]] +name = "rustls-platform-verifier" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c573e165e19be8c9fc0264ee041d66292d4ee0439949af61d71fa747bf5df082" +dependencies = [ + "core-foundation", + "core-foundation-sys", + "jni", + "log", + "once_cell", + "rustls", + "rustls-native-certs", + "rustls-platform-verifier-android", + "rustls-webpki", + "security-framework", + "security-framework-sys", + "webpki-roots", + "winapi", +] + +[[package]] +name = "rustls-platform-verifier-android" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "84e217e7fdc8466b5b35d30f8c0a30febd29173df4a3a0c2115d306b9c4117ad" + +[[package]] +name = "rustls-webpki" +version = "0.101.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -2746,6 +2787,16 @@ dependencies = [ "syn 2.0.47", ] +[[package]] +name = "sct" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "sdk-schemas" version = "0.1.0" @@ -2769,6 +2820,7 @@ dependencies = [ "core-foundation", "core-foundation-sys", "libc", + "num-bigint", "security-framework-sys", ] @@ -3024,6 +3076,12 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + [[package]] name = "spki" version = "0.7.3" @@ -3291,12 +3349,12 @@ dependencies = [ ] [[package]] -name = "tokio-native-tls" -version = "0.3.1" +name = "tokio-rustls" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "native-tls", + "rustls", "tokio", ] @@ -3639,6 +3697,12 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "url" version = "2.5.0" @@ -3672,12 +3736,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" -[[package]] -name = "vcpkg" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" - [[package]] name = "version_check" version = "0.9.4" @@ -3824,6 +3882,12 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "webpki-roots" +version = "0.25.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" + [[package]] name = "weedle2" version = "4.0.0" diff --git a/about.toml b/about.toml index 2ed67c7cc..bd56148af 100644 --- a/about.toml +++ b/about.toml @@ -8,4 +8,9 @@ accepted = [ "MPL-2.0", "LGPL-3.0", "Unicode-DFS-2016", + "OpenSSL", ] + +# Ring has all the licenses combined into a single file, which causes cargo about to +# be confused about it. Thankfully it includes a workaround for this that we can enable. +workarounds = ["ring"] diff --git a/crates/bitwarden-api-api/Cargo.toml b/crates/bitwarden-api-api/Cargo.toml index e4ec902b1..5b8b0c773 100644 --- a/crates/bitwarden-api-api/Cargo.toml +++ b/crates/bitwarden-api-api/Cargo.toml @@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] } [dependencies.reqwest] version = ">=0.11.18, <0.12" features = ["json", "multipart"] +default-features = false [dev-dependencies] diff --git a/crates/bitwarden-api-identity/Cargo.toml b/crates/bitwarden-api-identity/Cargo.toml index 929bbc6fa..4f4b46732 100644 --- a/crates/bitwarden-api-identity/Cargo.toml +++ b/crates/bitwarden-api-identity/Cargo.toml @@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] } [dependencies.reqwest] version = ">=0.11.18, <0.12" features = ["json", "multipart"] +default-features = false [dev-dependencies] diff --git a/crates/bitwarden-uniffi/Cargo.toml b/crates/bitwarden-uniffi/Cargo.toml index ecde30a4b..4bf7b085b 100644 --- a/crates/bitwarden-uniffi/Cargo.toml +++ b/crates/bitwarden-uniffi/Cargo.toml @@ -25,6 +25,3 @@ bitwarden = { path = "../bitwarden", features = ["mobile", "internal"] } [build-dependencies] uniffi = { version = "=0.25.2", features = ["build"] } - -[target.'cfg(any(target_os = "android", target_os = "ios"))'.dependencies] -openssl = { version = "0.10", features = ["vendored"] } diff --git a/crates/bitwarden/CHANGELOG.md b/crates/bitwarden/CHANGELOG.md index b4a57cde1..ff47c19d8 100644 --- a/crates/bitwarden/CHANGELOG.md +++ b/crates/bitwarden/CHANGELOG.md @@ -7,6 +7,10 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Changed + +- Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`. + ## [0.4.0] - 2023-12-21 ### Added diff --git a/crates/bitwarden/Cargo.toml b/crates/bitwarden/Cargo.toml index 5677a73d9..2fd1f32e6 100644 --- a/crates/bitwarden/Cargo.toml +++ b/crates/bitwarden/Cargo.toml @@ -46,7 +46,9 @@ num-bigint = ">=0.4, <0.5" num-traits = ">=0.2.15, <0.3" pbkdf2 = { version = ">=0.12.1, <0.13", default-features = false } rand = ">=0.8.5, <0.9" -reqwest = { version = ">=0.11, <0.12", features = ["json"] } +reqwest = { version = ">=0.11, <0.12", features = [ + "json", +], default-features = false } rsa = ">=0.9.2, <0.10" schemars = { version = ">=0.8.9, <0.9", features = ["uuid1", "chrono"] } serde = { version = ">=1.0, <2.0", features = ["derive"] } @@ -60,6 +62,23 @@ thiserror = ">=1.0.40, <2.0" uniffi = { version = "=0.25.2", optional = true, features = ["tokio"] } uuid = { version = ">=1.3.3, <2.0", features = ["serde"] } +[target.'cfg(all(not(target_os = "android"), not(target_arch="wasm32")))'.dependencies] +# By default, we use rustls as the TLS stack and rust-platform-verifier to support user-installed root certificates +# There are a few exceptions to this: +# - WASM doesn't require a TLS stack, as it just uses the browsers/node fetch +# - Android uses webpki-roots for the moment +reqwest = { version = "*", features = [ + "rustls-tls-manual-roots", +], default-features = false } +rustls-platform-verifier = "0.1.0" + +[target.'cfg(target_os = "android")'.dependencies] +# On android, the use of rustls-platform-verifier is more complicated and going through some changes at the moment, so we fall back to using webpki-roots +# This means that for the moment android won't support self-signed certificates, even if they are included in the OS trust store +reqwest = { version = "*", features = [ + "rustls-tls-webpki-roots", +], default-features = false } + [dev-dependencies] rand_chacha = "0.3.1" tokio = { version = "1.35.1", features = ["rt", "macros"] } diff --git a/crates/bitwarden/src/client/client.rs b/crates/bitwarden/src/client/client.rs index 302e7ed75..2c5d9b387 100644 --- a/crates/bitwarden/src/client/client.rs +++ b/crates/bitwarden/src/client/client.rs @@ -88,10 +88,16 @@ impl Client { let headers = header::HeaderMap::new(); - let client = reqwest::Client::builder() - .default_headers(headers) - .build() - .unwrap(); + #[allow(unused_mut)] + let mut client_builder = reqwest::Client::builder().default_headers(headers); + + #[cfg(all(not(target_os = "android"), not(target_arch = "wasm32")))] + { + client_builder = + client_builder.use_preconfigured_tls(rustls_platform_verifier::tls_config()); + } + + let client = client_builder.build().unwrap(); let identity = bitwarden_api_identity::apis::configuration::Configuration { base_path: settings.identity_url, diff --git a/crates/bws/CHANGELOG.md b/crates/bws/CHANGELOG.md index 007639800..d5ba27061 100644 --- a/crates/bws/CHANGELOG.md +++ b/crates/bws/CHANGELOG.md @@ -7,6 +7,10 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Changed + +- Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`. + ## [0.4.0] - 2023-12-21 ### Added diff --git a/crates/bws/Cargo.toml b/crates/bws/Cargo.toml index 821c6153c..980fe684e 100644 --- a/crates/bws/Cargo.toml +++ b/crates/bws/Cargo.toml @@ -44,6 +44,3 @@ bitwarden = { path = "../bitwarden", version = "0.4.0", features = ["secrets"] } [dev-dependencies] tempfile = "3.9.0" - -[target.'cfg(target_os = "linux")'.dependencies] -openssl = { version = "0.10", features = ["vendored"] } diff --git a/crates/bws/Cross.toml b/crates/bws/Cross.toml deleted file mode 100644 index 79b22e7f8..000000000 --- a/crates/bws/Cross.toml +++ /dev/null @@ -1,6 +0,0 @@ -# Install OpenSSL -[target.aarch64-unknown-linux-gnu] -pre-build = [ - "dpkg --add-architecture $CROSS_DEB_ARCH", - "apt-get update && apt-get install --assume-yes libssl-dev:$CROSS_DEB_ARCH", -] diff --git a/support/openapi-template/Cargo.mustache b/support/openapi-template/Cargo.mustache index 38885cb6f..3b89aa079 100644 --- a/support/openapi-template/Cargo.mustache +++ b/support/openapi-template/Cargo.mustache @@ -27,6 +27,7 @@ reqwest = "~0.9" [dependencies.reqwest] version = "^0.11" features = ["json", "multipart"] +default-features = false {{/supportAsync}} {{/reqwest}} {{#withAWSV4Signature}}