Revert "Update rustls to 0.23. Support 'CryptoProvider's."

This reverts commit ce92c5d.

Author: SergioBenitez

core/lib/Cargo.toml

@@ -50,8 +50,8 @@ rmp-serde = { version = "1", optional = true }
 uuid_ = { package = "uuid", version = "1", optional = true, features = ["serde"] }
 
 # Optional TLS dependencies
-rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
-tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
+rustls = { version = "0.22", optional = true }
+tokio-rustls = { version = "0.25", optional = true }
 rustls-pemfile = { version = "2.0.0", optional = true }
 
 # Optional MTLS dependencies

core/lib/src/listener/tls.rs

@@ -7,7 +7,7 @@ use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::TlsAcceptor;
 
 use crate::tls::{TlsConfig, Error};
-use crate::tls::util::{self, load_cert_chain, load_key, load_ca_certs};
+use crate::tls::util::{load_cert_chain, load_key, load_ca_certs};
 use crate::listener::{Listener, Bindable, Connection, Certificates, Endpoint};
 
 #[doc(inline)]
@@ -31,7 +31,7 @@ impl TlsConfig {
     pub(crate) fn server_config(&self) -> Result<ServerConfig, Error> {
         let provider = rustls::crypto::CryptoProvider {
             cipher_suites: self.ciphers().map(|c| c.into()).collect(),
-            ..util::get_crypto_provider()
+            ..rustls::crypto::ring::default_provider()
         };
 
         #[cfg(feature = "mtls")]

core/lib/src/tls/util.rs

@@ -1,7 +1,6 @@
 use std::io;
 
 use rustls::RootCertStore;
-use rustls::crypto::CryptoProvider;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
 use crate::tls::error::{Result, Error, KeyError};
@@ -34,8 +33,7 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
 
     // Ensure we can use the key.
     let key = keys.remove(0);
-    get_crypto_provider().key_provider.load_private_key(key.clone_key())
-        .map_err(KeyError::Unsupported)?;
+    rustls::crypto::ring::sign::any_supported_type(&key).map_err(KeyError::Unsupported)?;
     Ok(key)
 }
 
@@ -49,19 +47,6 @@ pub fn load_ca_certs(reader: &mut dyn io::BufRead) -> Result<RootCertStore> {
     Ok(roots)
 }
 
-pub(crate) fn get_crypto_provider() -> CryptoProvider {
-    if let Some(crypto_provider) = rustls::crypto::CryptoProvider::get_default() {
-        CryptoProvider::clone(crypto_provider)
-    } else {
-        let crypto_provider = rustls::crypto::ring::default_provider();
-        // Should only fail due to other concurrent install, so we ignore it
-        let _ = crypto_provider.clone().install_default();
-
-        crypto_provider
-    }
-
-}
-
 #[cfg(test)]
 mod test {
     use super::*;

examples/tls/Cargo.toml

@@ -7,5 +7,4 @@ publish = false
 
 [dependencies]
 rocket = { path = "../../core/lib", features = ["tls", "mtls", "secrets", "http3-preview"] }
-rustls = { version = "0.23", features = ["aws_lc_rs"] }
 yansi = "1.0.1"

examples/tls/Rocket.toml

@@ -25,10 +25,6 @@ key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
 certs = "private/ecdsa_nistp384_sha384_cert.pem"
 key = "private/ecdsa_nistp384_sha384_key_pkcs8.pem"
 
-[ecdsa_nistp521_sha512_pkcs8.tls]
-certs = "private/ecdsa_nistp521_sha512_cert.pem"
-key = "private/ecdsa_nistp521_sha512_key_pkcs8.pem"
-
 [ecdsa_nistp256_sha256_sec1.tls]
 certs = "private/ecdsa_nistp256_sha256_cert.pem"
 key = "private/ecdsa_nistp256_sha256_key_sec1.pem"

examples/tls/private/ecdsa_nistp521_sha512.p12

@@ -113,39 +113,15 @@ function gen_ecdsa_nistp384_sha384() {
   rm ca_cert.srl server.csr ecdsa_nistp384_sha384_key.pem
 }
 
-function gen_ecdsa_nistp521_sha512() {
-  gen_ca_if_non_existent
-
-  openssl ecparam -out ecdsa_nistp521_sha512_key.pem -name secp521r1 -genkey
-
-  # Convert to pkcs8 format supported by rustls
-  openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp521_sha512_key.pem \
-    -out ecdsa_nistp521_sha512_key_pkcs8.pem
-
-  openssl req -new -nodes -sha512 -key ecdsa_nistp521_sha512_key_pkcs8.pem \
-    -subj "${SUBJECT}" -out server.csr
-
-  openssl x509 -req -sha512 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
-    -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
-    -in server.csr -out ecdsa_nistp521_sha512_cert.pem
-
-  openssl pkcs12 -export -password pass:rocket -in ecdsa_nistp521_sha512_cert.pem \
-    -inkey ecdsa_nistp521_sha512_key_pkcs8.pem -out ecdsa_nistp521_sha512.p12
-
-  rm ca_cert.srl server.csr ecdsa_nistp521_sha512_key.pem
-}
-
 case $1 in
   ed25519) gen_ed25519 ;;
   rsa_sha256) gen_rsa_sha256 ;;
   ecdsa_nistp256_sha256) gen_ecdsa_nistp256_sha256 ;;
   ecdsa_nistp384_sha384) gen_ecdsa_nistp384_sha384 ;;
-  ecdsa_nistp521_sha512) gen_ecdsa_nistp521_sha512 ;;
   *)
     gen_ed25519
     gen_rsa_sha256
     gen_ecdsa_nistp256_sha256
     gen_ecdsa_nistp384_sha384
-    gen_ecdsa_nistp521_sha512
     ;;
 esac

examples/tls/private/ecdsa_nistp521_sha512_cert.pem

@@ -69,9 +69,8 @@ fn insecure_cookies() {
 fn hello_world() {
     use rocket::listener::DefaultListener;
     use rocket::config::{Config, SecretKey};
-    use rustls::crypto::aws_lc_rs;
 
-    let mut profiles = vec![
+    let profiles = [
         "rsa_sha256",
         "ecdsa_nistp256_sha256_pkcs8",
         "ecdsa_nistp384_sha384_pkcs8",
@@ -80,29 +79,20 @@ fn hello_world() {
         "ed25519",
     ];
 
-    for use_aws_lc in [false, true] {
-        if use_aws_lc {
-            let crypto_provider = aws_lc_rs::default_provider();
-            crypto_provider.install_default().unwrap();
-
-            profiles.push("ecdsa_nistp521_sha512_pkcs8");
-        }
-
-        for profile in &profiles {
-            let config = Config {
-                secret_key: SecretKey::generate().unwrap(),
-                ..Config::debug_default()
-            };
-
-            let figment = Config::figment().merge(config).select(profile);
-            let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
-            let response = client.get("/").dispatch();
-            assert_eq!(response.into_string().unwrap(), "Hello, world!");
-
-            let figment = client.rocket().figment();
-            let listener: DefaultListener = figment.extract().unwrap();
-            assert_eq!(figment.profile(), profile);
-            listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
-        }
+    for profile in profiles {
+        let config = Config {
+            secret_key: SecretKey::generate().unwrap(),
+            ..Config::debug_default()
+        };
+
+        let figment = Config::figment().merge(config).select(profile);
+        let client = Client::tracked_secure(super::rocket().configure(figment)).unwrap();
+        let response = client.get("/").dispatch();
+        assert_eq!(response.into_string().unwrap(), "Hello, world!");
+
+        let figment = client.rocket().figment();
+        let listener: DefaultListener = figment.extract().unwrap();
+        assert_eq!(figment.profile(), profile);
+        listener.tls.as_ref().unwrap().validate().expect("valid TLS config");
     }
 }