diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e1ef6150..fc4bb8e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -35,6 +35,9 @@ jobs: - target: x86_64-pc-windows-gnu os: windows-latest archive: zip + - target: aarch64-pc-windows-msvc + os: windows-latest + archive: zip - target: i686-pc-windows-msvc os: windows-latest archive: zip diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0213b3e5..67f72f15 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -85,6 +85,9 @@ jobs: - target: x86_64-pc-windows-gnu os: windows-latest archive: zip + - target: aarch64-pc-windows-msvc + os: windows-latest + archive: zip - target: i686-pc-windows-msvc os: windows-latest archive: zip diff --git a/Cargo.lock b/Cargo.lock index f62be013..7b7b0fff 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -238,7 +238,7 @@ dependencies = [ "hyper-util", "pin-project-lite", "rustls 0.21.10", - "rustls-pemfile 2.0.0", + "rustls-pemfile", "tokio", "tokio-rustls 0.24.1", "tower", @@ -1013,9 +1013,9 @@ dependencies = [ [[package]] name = "h3" -version = "0.0.4" +version = "0.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1c8886b9e6e93e7ed93d9433f3779e8d07e3ff96bc67b977d14c7b20c849411" +checksum = "d5069de1c2ac82d9e361b07f2b8a2c582ec071750e063530fc7f3b5197e24805" dependencies = [ "bytes", "fastrand 2.0.1", @@ -1028,15 +1028,14 @@ dependencies = [ [[package]] name = "h3-quinn" -version = "0.0.5" +version = "0.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73786bcc0e4c2692ba62c650f7b950ac236e5300c5de3b1d26330555e2322046" +checksum = "b8c01d99d7cf812fd34ddf135e6c940df9e24f2e759dbc7179fb0e54d4bd6551" dependencies = [ "bytes", "futures", "h3", "quinn", - "quinn-proto", "tokio", "tokio-util", ] @@ -1083,7 +1082,7 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" [[package]] name = "hickory-proto" version = "0.25.0-alpha.1" -source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.2#12574058a1967f144a50f589a1ae3147f880c370" +source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.4#6da89cd255cf5a779af86b35c3dc13d9b6a94e4f" dependencies = [ "async-recursion", "async-trait", @@ -1102,16 +1101,17 @@ dependencies = [ "idna", "ipnet", "once_cell", + "pin-project-lite", "quinn", "rand", - "ring 0.17.7", - "rustls 0.21.10", - "rustls-pemfile 1.0.4", + "ring", + "rustls 0.23.7", + "rustls-pemfile", "serde", "thiserror", "tinyvec", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.26.0", "tracing", "url", ] @@ -1119,7 +1119,7 @@ dependencies = [ [[package]] name = "hickory-recursor" version = "0.25.0-alpha.1" -source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.2#12574058a1967f144a50f589a1ae3147f880c370" +source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.4#6da89cd255cf5a779af86b35c3dc13d9b6a94e4f" dependencies = [ "async-recursion", "async-trait", @@ -1140,7 +1140,7 @@ dependencies = [ [[package]] name = "hickory-resolver" version = "0.25.0-alpha.1" -source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.2#12574058a1967f144a50f589a1ae3147f880c370" +source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.4#6da89cd255cf5a779af86b35c3dc13d9b6a94e4f" dependencies = [ "cfg-if", "futures-util", @@ -1149,21 +1149,22 @@ dependencies = [ "lru-cache", "once_cell", "parking_lot", + "quinn", "rand", "resolv-conf", - "rustls 0.21.10", + "rustls 0.23.7", "serde", "smallvec", "thiserror", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.26.0", "tracing", ] [[package]] name = "hickory-server" version = "0.25.0-alpha.1" -source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.2#12574058a1967f144a50f589a1ae3147f880c370" +source = "git+https://github.com/mokeyish/hickory-dns.git?rev=0.25.0-smartdns.4#6da89cd255cf5a779af86b35c3dc13d9b6a94e4f" dependencies = [ "async-trait", "bytes", @@ -1177,12 +1178,12 @@ dependencies = [ "http", "ipnet", "prefix-trie", - "rustls 0.21.10", + "rustls 0.23.7", "serde", "thiserror", "time", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.26.0", "tokio-util", "tracing", ] @@ -1902,9 +1903,9 @@ dependencies = [ [[package]] name = "quinn" -version = "0.10.2" +version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cc2c5017e4b43d5995dcea317bc46c1e09404c0a9664d2908f7f02dfe943d75" +checksum = "e4ceeeeabace7857413798eb1ffa1e9c905a9946a57d81fb69b4b71c4d8eb3ad" dependencies = [ "bytes", "futures-io", @@ -1912,7 +1913,7 @@ dependencies = [ "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.21.10", + "rustls 0.23.7", "thiserror", "tokio", "tracing", @@ -1920,15 +1921,15 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.10.6" +version = "0.11.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "141bf7dfde2fbc246bfd3fe12f2455aa24b0fbd9af535d8c86c7bd1381ff2b1a" +checksum = "ddf517c03a109db8100448a4be38d498df8a210a99fe0e1b9eaf39e78c640efe" dependencies = [ "bytes", "rand", - "ring 0.16.20", + "ring", "rustc-hash", - "rustls 0.21.10", + "rustls 0.23.7", "slab", "thiserror", "tinyvec", @@ -1937,15 +1938,15 @@ dependencies = [ [[package]] name = "quinn-udp" -version = "0.4.1" +version = "0.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "055b4e778e8feb9f93c4e439f71dc2156ef13360b432b799e179a8c4cdf0b1d7" +checksum = "8bffec3605b73c6f1754535084a85229fa8a30f86014e6c81aeec4abb68b0285" dependencies = [ - "bytes", "libc", + "once_cell", "socket2", "tracing", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -2100,7 +2101,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "rustls 0.22.3", - "rustls-pemfile 2.0.0", + "rustls-pemfile", "rustls-pki-types", "serde", "serde_json", @@ -2113,7 +2114,7 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots 0.26.1", + "webpki-roots", "winreg 0.52.0", ] @@ -2127,21 +2128,6 @@ dependencies = [ "quick-error", ] -[[package]] -name = "ring" -version = "0.16.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" -dependencies = [ - "cc", - "libc", - "once_cell", - "spin 0.5.2", - "untrusted 0.7.1", - "web-sys", - "winapi", -] - [[package]] name = "ring" version = "0.17.7" @@ -2151,8 +2137,8 @@ dependencies = [ "cc", "getrandom", "libc", - "spin 0.9.8", - "untrusted 0.9.0", + "spin", + "untrusted", "windows-sys 0.48.0", ] @@ -2242,7 +2228,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", - "ring 0.17.7", + "ring", "rustls-webpki 0.101.7", "sct", ] @@ -2254,7 +2240,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "99008d7ad0bbbea527ec27bddbc0e432c5b87d8175178cee68d2eec9c4a1813c" dependencies = [ "log", - "ring 0.17.7", + "ring", "rustls-pki-types", "rustls-webpki 0.102.2", "subtle", @@ -2262,24 +2248,31 @@ dependencies = [ ] [[package]] -name = "rustls-native-certs" -version = "0.6.3" +name = "rustls" +version = "0.23.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" +checksum = "ebbbdb961df0ad3f2652da8f3fdc4b36122f568f968f45ad3316f26c025c677b" dependencies = [ - "openssl-probe", - "rustls-pemfile 1.0.4", - "schannel", - "security-framework", + "log", + "once_cell", + "ring", + "rustls-pki-types", + "rustls-webpki 0.102.2", + "subtle", + "zeroize", ] [[package]] -name = "rustls-pemfile" -version = "1.0.4" +name = "rustls-native-certs" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +checksum = "a88d6d420651b496bdd98684116959239430022a115c1240e6c3993be0b15fba" dependencies = [ - "base64 0.21.7", + "openssl-probe", + "rustls-pemfile", + "rustls-pki-types", + "schannel", + "security-framework", ] [[package]] @@ -2304,8 +2297,8 @@ version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring 0.17.7", - "untrusted 0.9.0", + "ring", + "untrusted", ] [[package]] @@ -2314,9 +2307,9 @@ version = "0.102.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" dependencies = [ - "ring 0.17.7", + "ring", "rustls-pki-types", - "untrusted 0.9.0", + "untrusted", ] [[package]] @@ -2361,8 +2354,8 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring 0.17.7", - "untrusted 0.9.0", + "ring", + "untrusted", ] [[package]] @@ -2604,11 +2597,12 @@ dependencies = [ "nom", "num-traits", "once_cell", + "quinn", "rand", "reqwest", - "rustls 0.21.10", + "rustls 0.23.7", "rustls-native-certs", - "rustls-pemfile 1.0.4", + "rustls-pemfile", "same-file", "self-replace", "self_update", @@ -2621,13 +2615,13 @@ dependencies = [ "sysinfo", "thiserror", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.26.0", "tokio-util", "tracing", "tracing-subscriber", "url", "users", - "webpki-roots 0.25.3", + "webpki-roots", "which 6.0.1", "windows 0.57.0", "windows-service", @@ -2643,12 +2637,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - [[package]] name = "spin" version = "0.9.8" @@ -2898,6 +2886,17 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-rustls" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +dependencies = [ + "rustls 0.23.7", + "rustls-pki-types", + "tokio", +] + [[package]] name = "tokio-util" version = "0.7.10" @@ -3064,12 +3063,6 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" -[[package]] -name = "untrusted" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" - [[package]] name = "untrusted" version = "0.9.0" @@ -3224,12 +3217,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki-roots" -version = "0.25.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" - [[package]] name = "webpki-roots" version = "0.26.1" diff --git a/Cargo.toml b/Cargo.toml index aab8d957..d2968337 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,6 +17,9 @@ repository = "https://github.com/mokeyish/smartdns-rs" license = "GPL-v3.0" readme = "README.md" +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(nightly)'] } + [package.metadata.patch] # crates = ["hickory-server", "hickory-proto"] @@ -48,6 +51,8 @@ dns-over-https-rustls = [ "hickory-server/dns-over-https-rustls", ] +mdns = [] + service = [ "dep:which", "dep:self-replace", "dep:same-file" # windows self_delete @@ -104,7 +109,7 @@ serde_json = "1.0" # async/await futures = { version = "0.3.5", default-features = false, features = ["std"] } futures-intrusive = "0.5" -futures-util = { version = "0.3", default-features = false, features = ["std"] } +futures-util = { version = "0.3.5", default-features = false, features = ["std"] } async-trait = "0.1.80" tokio = { version = "1.28", features = [ "time", @@ -113,7 +118,7 @@ tokio = { version = "1.28", features = [ "macros", "parking_lot", ] } -tokio-rustls = "0.24.0" +tokio-rustls = { version = "0.26.0", default-features = false } tokio-util = "0.7.10" socket2 = { version = "0.5", features = ["all"] } reqwest = { version = "0.12", default-features = false, features = [ @@ -131,18 +136,19 @@ tracing-subscriber = { version = "0.3", features = [ # tracing-appender = "0.2" # hickory dns -hickory-proto = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.2", version = "0.25.0-alpha.1", features = ["serde-config"]} -hickory-resolver = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.2", version = "0.25.0-alpha.1", features = [ +hickory-proto = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.4", version = "0.25.0-alpha.1", features = ["serde-config"]} +hickory-resolver = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.4", version = "0.25.0-alpha.1", features = [ "serde-config", "system-config", ] } -hickory-server = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.2", version = "0.25.0-alpha.1", features = ["resolver"], optional = true } +hickory-server = { git = "https://github.com/mokeyish/hickory-dns.git", rev = "0.25.0-smartdns.4", version = "0.25.0-alpha.1", features = ["resolver"], optional = true } +quinn = { version = "0.11.2", default-features = false } # ssl -webpki-roots = "0.25.2" -rustls = { version = "0.21.1", features = ["dangerous_configuration"] } -rustls-pemfile = "1.0.2" -rustls-native-certs = "0.6.2" +webpki-roots = "0.26" +rustls = { version = "0.23", default-features = false, features = ["std", "tls12"] } +rustls-pemfile = "2" +rustls-native-certs = "0.7" lru = { version = "0.12", default-features = false } # time = "0.3" diff --git a/src/api/mod.rs b/src/api/mod.rs index d933ceb7..72ddf724 100644 --- a/src/api/mod.rs +++ b/src/api/mod.rs @@ -7,7 +7,6 @@ use axum::{ Json, Router, }; use axum_server::{tls_rustls::RustlsConfig, Handle}; -use rustls::{Certificate, PrivateKey}; use serde::{Deserialize, Serialize}; use tokio::net::TcpListener; use tokio_util::sync::CancellationToken; @@ -22,6 +21,7 @@ mod nameserver; mod serve_dns; mod settings; +use crate::rustls::{Certificate, PrivateKey}; use crate::{app::App, server::DnsHandle}; type StatefulRouter = Router>; @@ -49,8 +49,11 @@ pub async fn serve( .with_state(state.clone()) .into_make_service_with_connect_info::(); - let certificate = certificate.into_iter().map(|c| c.0).collect::>(); - let certificate_key = certificate_key.0; + let certificate = certificate + .into_iter() + .map(|c| c.as_ref().to_vec()) + .collect::>(); + let certificate_key = certificate_key.secret_der().to_vec(); let tcp_listener = tcp_listener.into_std()?; let rustls_config = RustlsConfig::from_der(certificate, certificate_key).await?; diff --git a/src/collections.rs b/src/collections.rs index 99f0d37d..f0071929 100644 --- a/src/collections.rs +++ b/src/collections.rs @@ -147,6 +147,14 @@ impl DomainSet { } } +impl FromIterator for DomainSet { + fn from_iter>(iter: T) -> Self { + DomainSet(DomainMap(HashMap::from_iter( + iter.into_iter().map(|item| (item, ())), + ))) + } +} + #[cfg(feature = "experimental-trie")] mod trie { use crate::third_ext::AsSlice; diff --git a/src/dns_client.rs b/src/dns_client.rs index 42c43bc9..6e7752b9 100644 --- a/src/dns_client.rs +++ b/src/dns_client.rs @@ -970,7 +970,7 @@ impl From for LookupOptions { } /// > An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. -/// https://dnsflagday.net/2020/ +/// > https://dnsflagday.net/2020/ const MAX_PAYLOAD_LEN: u16 = 1232; fn build_message( @@ -1023,7 +1023,10 @@ mod connection_provider { use crate::libdns::proto; use crate::libdns::proto::{iocompat::AsyncIoTokioAsStd, TokioTime}; - use crate::libdns::resolver::{name_server::RuntimeProvider, TokioHandle}; + use crate::libdns::resolver::{ + name_server::{QuicSocketBinder, RuntimeProvider}, + TokioHandle, + }; /// The Tokio Runtime for async execution #[derive(Clone)] @@ -1128,6 +1131,27 @@ mod connection_provider { .map(setup_socket) }) } + + #[cfg(any(feature = "dns-over-quic", feature = "dns-over-h3"))] + fn quic_binder(&self) -> Option<&dyn QuicSocketBinder> { + Some(&TokioQuicSocketBinder) + } + } + + #[cfg(any(feature = "dns-over-quic", feature = "dns-over-h3"))] + struct TokioQuicSocketBinder; + + #[cfg(any(feature = "dns-over-quic", feature = "dns-over-h3"))] + impl QuicSocketBinder for TokioQuicSocketBinder { + fn bind_quic( + &self, + local_addr: SocketAddr, + _server_addr: SocketAddr, + ) -> Result, io::Error> { + use quinn::Runtime; + let socket = std::net::UdpSocket::bind(local_addr)?; + quinn::TokioRuntime.wrap_udp_socket(socket) + } } #[async_trait] @@ -1212,17 +1236,6 @@ mod connection_provider { } } } - - #[cfg(any(feature = "dns-over-quic", feature = "dns-over-h3"))] - impl proto::udp::QuicLocalAddr for UdpSocket { - fn local_addr(&self) -> std::io::Result { - use UdpSocket::*; - match self { - Tokio(s) => s.local_addr(), - Proxy(s) => s.get_ref().local_addr(), - } - } - } } mod bootstrap { diff --git a/src/dns_conf.rs b/src/dns_conf.rs index 3e56bda5..e99206d2 100644 --- a/src/dns_conf.rs +++ b/src/dns_conf.rs @@ -1464,19 +1464,29 @@ mod tests { } #[test] - #[cfg(failed_tests)] fn test_domain_set() { + use crate::collections::DomainSet; + let cfg = RuntimeConfig::load_from_file("tests/test_data/b_main.conf"); - assert!(!cfg.domain_sets.is_empty()); + assert!(!cfg.domain_set_providers.is_empty()); + + let domain_set_providers = cfg + .domain_set_providers + .get("block") + .map(|s| s.as_slice()) + .unwrap_or_default(); - let domain_set = cfg.domain_sets.values().nth(0).unwrap(); + let domain_set = domain_set_providers + .iter() + .flat_map(|p| p.get_domain_set().unwrap_or_default()) + .collect::(); - assert!(domain_set.len() > 0); + assert!(!domain_set.is_empty()); - assert!(domain_set.contains(&domain::Name::from_str("ads1.com").unwrap().into())); - assert!(!domain_set.contains(&domain::Name::from_str("ads2c.cn").unwrap().into())); - assert!(domain_set.is_match(&domain::Name::from_str("ads3.net").unwrap().into())); - assert!(domain_set.is_match(&domain::Name::from_str("q.ads3.net").unwrap().into())); + assert!(domain_set.contains(&"ads1.com".parse().unwrap())); + assert!(!domain_set.contains(&"ads2c.cn".parse().unwrap())); + // assert!(domain_set.is_match(&Name::from_str("ads3.net").unwrap().into())); + // assert!(domain_set.is_match(&Name::from_str("q.ads3.net").unwrap().into())); } } diff --git a/src/dns_error.rs b/src/dns_error.rs index b3610a7e..f2e24020 100644 --- a/src/dns_error.rs +++ b/src/dns_error.rs @@ -25,12 +25,6 @@ pub enum LookupError { /// Resolve Error #[error("Forward resolution error: {0}")] ResolveError(#[from] ResolveError), - - /// Recursive Resolver Error - #[cfg(feature = "hickory-recursor")] - #[cfg_attr(docsrs, doc(cfg(feature = "recursor")))] - #[error("Recursive resolution error: {0}")] - RecursiveError(#[from] create::libdns::recursor::Error), /// An underlying IO error occurred #[error("io error: {0}")] Io(Arc), @@ -42,10 +36,6 @@ impl PartialEq for LookupError { (Self::ResponseCode(l0), Self::ResponseCode(r0)) => l0 == r0, (Self::Proto(l0), Self::Proto(r0)) => l0.to_string() == r0.to_string(), (Self::ResolveError(l0), Self::ResolveError(r0)) => l0.to_string() == r0.to_string(), - #[cfg(feature = "hickory-recursor")] - (Self::RecursiveError(l0), Self::RecursiveError(r0)) => { - l0.to_string() == r0.to_string() - } (Self::Io(l0), Self::Io(r0)) => l0.to_string() == r0.to_string(), _ => core::mem::discriminant(self) == core::mem::discriminant(other), } diff --git a/src/infra/ping.rs b/src/infra/ping.rs index 03489609..4dd81eeb 100644 --- a/src/infra/ping.rs +++ b/src/infra/ping.rs @@ -670,7 +670,6 @@ mod https { time::{Duration, Instant}, }; - use rustls::ServerName; use tokio::net::TcpStream; use tokio_rustls::TlsConnector; @@ -678,22 +677,6 @@ mod https { use super::{do_agg, PingAddr, PingError, PingOptions, PingOutput}; - struct NoCertificateVerification; - - impl rustls::client::ServerCertVerifier for NoCertificateVerification { - fn verify_server_cert( - &self, - _end_entity: &rustls::Certificate, - _intermediates: &[rustls::Certificate], - _server_name: &rustls::ServerName, - _scts: &mut dyn Iterator, - _ocsp: &[u8], - _now: std::time::SystemTime, - ) -> Result { - Ok(rustls::client::ServerCertVerified::assertion()) - } - } - #[inline] pub async fn ping(sock_addr: SocketAddr, opts: PingOptions) -> Result { let PingOptions { @@ -742,17 +725,20 @@ mod https { } async fn ping_https(addr: SocketAddr) -> Result { + use rustls::pki_types::ServerName; let now = Instant::now(); let config = Arc::new({ let mut config = rustls::ClientConfig::builder() - .with_safe_defaults() - .with_custom_certificate_verifier(Arc::new(NoCertificateVerification)) + .dangerous() + .with_custom_certificate_verifier(Arc::new( + crate::rustls::NoCertificateVerification, + )) .with_no_client_auth(); config.enable_sni = false; config }); - let server_name = ServerName::IpAddress(addr.ip()); + let server_name = ServerName::IpAddress(addr.ip().into()); let connector = TlsConnector::from(config); diff --git a/src/rustls.rs b/src/rustls.rs index f7abed81..3fff3208 100644 --- a/src/rustls.rs +++ b/src/rustls.rs @@ -5,8 +5,11 @@ use std::{ sync::Arc, }; +use rustls::pki_types::{CertificateDer, PrivateKeyDer}; +pub type Certificate = CertificateDer<'static>; +pub type PrivateKey = PrivateKeyDer<'static>; + use rustls::ClientConfig; -use rustls_native_certs::Certificate; use crate::{ config::SslConfig, @@ -43,22 +46,6 @@ impl TlsClientConfigBundle { .dangerous() .set_certificate_verifier(Arc::new(NoCertificateVerification)); - struct NoCertificateVerification; - - impl rustls::client::ServerCertVerifier for NoCertificateVerification { - fn verify_server_cert( - &self, - _end_entity: &rustls::Certificate, - _intermediates: &[rustls::Certificate], - _server_name: &rustls::ServerName, - _scts: &mut dyn Iterator, - _ocsp: &[u8], - _now: std::time::SystemTime, - ) -> Result { - Ok(rustls::client::ServerCertVerified::assertion()) - } - } - verify_off }; @@ -70,16 +57,11 @@ impl TlsClientConfigBundle { } fn create_tls_client_config(paths: &[PathBuf]) -> ClientConfig { - use rustls::{OwnedTrustAnchor, RootCertStore}; + use rustls::RootCertStore; - let mut root_store = RootCertStore::empty(); - root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - })); + let mut root_store = RootCertStore { + roots: webpki_roots::TLS_SERVER_ROOTS.into(), + }; let certs = { let certs1 = rustls_native_certs::load_native_certs().unwrap_or_else(|err| { @@ -102,16 +84,12 @@ impl TlsClientConfigBundle { }; for cert in certs { - root_store - .add(&rustls::Certificate(cert.0)) - .unwrap_or_else(|err| { - warn!("load certs from path failed.{}", err); - }) + root_store.add(cert).unwrap_or_else(|err| { + warn!("load certs from path failed.{}", err); + }) } - ClientConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() + ClientConfig::builder_with_provider(Arc::new(rustls::crypto::ring::default_provider())) .with_safe_default_protocol_versions() .unwrap() .with_root_certificates(root_store) @@ -119,6 +97,59 @@ impl TlsClientConfigBundle { } } +#[derive(Debug)] +pub(super) struct NoCertificateVerification; + +impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { + fn verify_server_cert( + &self, + _end_entity: &rustls::pki_types::CertificateDer<'_>, + _intermediates: &[rustls::pki_types::CertificateDer<'_>], + _server_name: &rustls::pki_types::ServerName<'_>, + _ocsp_response: &[u8], + _now: rustls::pki_types::UnixTime, + ) -> Result { + Ok(rustls::client::danger::ServerCertVerified::assertion()) + } + + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &rustls::pki_types::CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, + ) -> Result { + Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + } + + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &rustls::pki_types::CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, + ) -> Result { + Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + } + + fn supported_verify_schemes(&self) -> Vec { + use rustls::SignatureScheme::*; + vec![ + RSA_PKCS1_SHA1, + ECDSA_SHA1_Legacy, + RSA_PKCS1_SHA256, + ECDSA_NISTP256_SHA256, + RSA_PKCS1_SHA384, + ECDSA_NISTP384_SHA384, + RSA_PKCS1_SHA512, + ECDSA_NISTP521_SHA512, + RSA_PSS_SHA256, + RSA_PSS_SHA384, + RSA_PSS_SHA512, + ED25519, + ED448, + ] + } +} + /// Load certificates from specific directory or file. pub fn load_certs_from_path(path: &Path) -> Result, io::Error> { if path.is_dir() { @@ -136,14 +167,13 @@ pub fn load_certs_from_path(path: &Path) -> Result, io::Error> } fn load_pem_certs(path: &Path) -> Result, io::Error> { - let f = File::open(path)?; - let mut f = BufReader::new(f); + let mut file = BufReader::new(File::open(path)?); - match rustls_pemfile::certs(&mut f) { - Ok(contents) => Ok(contents.into_iter().map(Certificate).collect()), - Err(_) => Err(io::Error::new( + match rustls_pemfile::certs(&mut file).collect() { + Ok(certs) => Ok(certs), + Err(err) => Err(io::Error::new( io::ErrorKind::InvalidData, - format!("Could not load PEM file {:?}", path), + format!("Could not load PEM file {} {:?}", err, path), )), } } @@ -153,7 +183,7 @@ pub fn load_certificate_and_key( cert_file: Option<&Path>, key_file: Option<&Path>, typ: &'static str, -) -> Result<(Vec, rustls::PrivateKey), Error> { +) -> Result<(Vec, PrivateKey), Error> { use crate::libdns::proto::rustls::tls_server::{read_cert, read_key}; let certificate_path = ssl_config diff --git a/src/server/mod.rs b/src/server/mod.rs index 5823e7ab..6aa26d94 100644 --- a/src/server/mod.rs +++ b/src/server/mod.rs @@ -81,7 +81,7 @@ pub async fn serve( tls_listener, dns_handle, Duration::from_secs(idle_time), - (certificate.clone(), certificate_key.clone()), + (certificate.clone(), certificate_key.clone_key()), )? } #[cfg(feature = "dns-over-https")] diff --git a/src/server/quic.rs b/src/server/quic.rs index 14c09c2a..34e3dfbe 100644 --- a/src/server/quic.rs +++ b/src/server/quic.rs @@ -1,6 +1,6 @@ use std::{io, time::Duration}; -use rustls::{Certificate, PrivateKey}; +use crate::rustls::{Certificate, PrivateKey}; use tokio::{net, task::JoinSet}; use tokio_util::sync::CancellationToken; diff --git a/src/server/tls.rs b/src/server/tls.rs index 8264c1c4..b93e32cd 100644 --- a/src/server/tls.rs +++ b/src/server/tls.rs @@ -1,7 +1,6 @@ use std::{io, sync::Arc, time::Duration}; use futures_util::StreamExt as _; -use rustls::{Certificate, PrivateKey}; use tokio::{net, task::JoinSet}; use tokio_util::sync::CancellationToken; @@ -14,6 +13,7 @@ use crate::{ Protocol, }, log, + rustls::{Certificate, PrivateKey}, third_ext::FutureTimeoutExt, };