net/quinn: Specify crypto provider explicitly

rustls allows the choice of ring or aws-lc-rs as the cryptographic library implementation. This is enabled/selected via Cargo feature flags. We have plugins directly or indirectly depending on rustls like quinn, aws and spotify. In the presence of multiple plugins, selecting different implementations as the default, rustls can panic. The safest way to avoid this is by using builder_with_provider and selecting a provider explicitly. See below issues for further discussion and clarifications. https://github.com/rustls/rustls/issues/1877 https://github.com/seanmonstar/reqwest/pull/2225 While at it, also specify features explicitly for quinn and rustls. Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/merge_requests/1878>
2024-11-22 03:21:00 +00:00 · 2024-10-23 17:40:31 +05:30 · 2024-10-23 17:40:31 +05:30 · af54b2396b
commit af54b2396b
parent dc1d63419e
4 changed files with 35 additions and 94 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1049,12 +1049,6 @@ dependencies = [
 "thiserror",
 ]

-[[package]]
-name = "cesu8"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
-
 [[package]]
 name = "cexpr"
 version = "0.6.0"
@ -1214,16 +1208,6 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0"

-[[package]]
-name = "combine"
-version = "4.6.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
-dependencies = [
- "bytes",
- "memchr",
-]
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@ -4357,26 +4341,6 @@ version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"

-[[package]]
-name = "jni"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec"
-dependencies = [
- "cesu8",
- "combine",
- "jni-sys",
- "log",
- "thiserror",
- "walkdir",
-]
-
-[[package]]
-name = "jni-sys"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
-
 [[package]]
 name = "jobserver"
 version = "0.1.32"
@ -5775,7 +5739,6 @@ dependencies = [
 "ring",
 "rustc-hash 2.0.0",
 "rustls 0.23.15",
- "rustls-platform-verifier",
 "slab",
 "thiserror",
 "tinyvec",
@ -6033,7 +5996,7 @@ dependencies = [
 "wasm-bindgen",
 "wasm-bindgen-futures",
 "web-sys",
- "webpki-roots 0.25.4",
+ "webpki-roots",
 "winreg",
 ]

@ -6350,33 +6313,6 @@ version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"

-[[package]]
-name = "rustls-platform-verifier"
-version = "0.3.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "afbb878bdfdf63a336a5e63561b1835e7a8c91524f51621db870169eac84b490"
-dependencies = [
- "core-foundation",
- "core-foundation-sys",
- "jni",
- "log",
- "once_cell",
- "rustls 0.23.15",
- "rustls-native-certs 0.7.3",
- "rustls-platform-verifier-android",
- "rustls-webpki 0.102.8",
- "security-framework",
- "security-framework-sys",
- "webpki-roots 0.26.6",
- "winapi",
-]
-
-[[package]]
-name = "rustls-platform-verifier-android"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
-
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@ -6500,7 +6436,6 @@ dependencies = [
 "core-foundation",
 "core-foundation-sys",
 "libc",
- "num-bigint",
 "security-framework-sys",
 ]

@ -7913,15 +7848,6 @@ version = "0.25.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"

-[[package]]
-name = "webpki-roots"
-version = "0.26.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "weezl"
 version = "0.1.8"
--- a/net/quinn/Cargo.toml
+++ b/net/quinn/Cargo.toml
@ -15,9 +15,9 @@ gst.workspace = true
 gst-base.workspace = true
 tokio = { version = "1.36.0", default-features = false, features = ["time", "rt-multi-thread"] }
 futures = "0.3.30"
-quinn = { version = "0.11.2", default-features = true, features = ["ring"]}
-quinn-proto = "0.11.2"
-rustls = { version = "0.23", default-features = false, features = ["ring", "std"]}
+quinn = { version = "0.11.5", default-features = false, features = ["ring", "rustls", "runtime-tokio"] }
+quinn-proto ={ version = "0.11.8", default-features = false, features = ["rustls"] }
+rustls = { version = "0.23", default-features = false, features = ["std"] }
 rustls-pemfile = "2"
 rustls-pki-types = "1"
 rcgen = "0.13"
--- a/net/quinn/src/utils.rs
+++ b/net/quinn/src/utils.rs
@ -12,9 +12,8 @@ use futures::future;
 use futures::prelude::*;
 use gst::ErrorMessage;
 use quinn::{
-    crypto::rustls::QuicClientConfig, crypto::rustls::QuicServerConfig, default_runtime,
-    ClientConfig, Connection, Endpoint, EndpointConfig, MtuDiscoveryConfig, ServerConfig,
-    TransportConfig,
+    crypto::rustls::QuicClientConfig, crypto::rustls::QuicServerConfig, ClientConfig, Connection,
+    Endpoint, EndpointConfig, MtuDiscoveryConfig, ServerConfig, TokioRuntime, TransportConfig,
 };
 use quinn_proto::{ConnectionStats, FrameStats, PathStats, UdpStats};
 use std::error::Error;
@ -209,6 +208,8 @@ impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
 }

 fn configure_client(ep_config: &QuinnQuicEndpointConfig) -> Result<ClientConfig, Box<dyn Error>> {
+    let ring_provider = rustls::crypto::ring::default_provider();
+
    let mut crypto = if ep_config.secure_conn {
        let (certs, key) = read_certs_from_file(
            ep_config.certificate_file.clone(),
@ -217,11 +218,15 @@ fn configure_client(ep_config: &QuinnQuicEndpointConfig) -> Result<ClientConfig,
        let mut cert_store = rustls::RootCertStore::empty();
        cert_store.add_parsable_certificates(certs.clone());

-        rustls::ClientConfig::builder()
+        rustls::ClientConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
            .with_root_certificates(Arc::new(cert_store))
            .with_client_auth_cert(certs, key)?
    } else {
-        rustls::ClientConfig::builder()
+        rustls::ClientConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
            .dangerous()
            .with_custom_certificate_verifier(SkipServerVerification::new())
            .with_no_client_auth()
@ -340,18 +345,28 @@ fn configure_server(
        (cert_chain, priv_key)
    };

+    let ring_provider = rustls::crypto::ring::default_provider();
+
    let mut crypto = if ep_config.secure_conn {
        let mut cert_store = rustls::RootCertStore::empty();
        cert_store.add_parsable_certificates(certs.clone());

-        let auth_client = rustls::server::WebPkiClientVerifier::builder(Arc::new(cert_store))
-            .build()
-            .unwrap();
-        rustls::ServerConfig::builder()
+        let auth_client = rustls::server::WebPkiClientVerifier::builder_with_provider(
+            Arc::new(cert_store),
+            ring_provider.clone().into(),
+        )
+        .build()
+        .unwrap();
+
+        rustls::ServerConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
            .with_client_cert_verifier(auth_client)
            .with_single_cert(certs.clone(), key)
    } else {
-        rustls::ServerConfig::builder()
+        rustls::ServerConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
            .with_no_client_auth()
            .with_single_cert(certs.clone(), key)
    }?;
@ -394,13 +409,16 @@ fn configure_server(
 pub fn server_endpoint(ep_config: &QuinnQuicEndpointConfig) -> Result<Endpoint, Box<dyn Error>> {
    let (server_config, _) = configure_server(ep_config)?;
    let socket = std::net::UdpSocket::bind(ep_config.server_addr)?;
-    let runtime = default_runtime()
-        .ok_or_else(|| std::io::Error::new(std::io::ErrorKind::Other, "No async runtime found"))?;
    let endpoint_config = EndpointConfig::default()
        .max_udp_payload_size(ep_config.transport_config.max_udp_payload_size)
        .unwrap()
        .to_owned();
-    let endpoint = Endpoint::new(endpoint_config, Some(server_config), socket, runtime)?;
+    let endpoint = Endpoint::new(
+        endpoint_config,
+        Some(server_config),
+        socket,
+        Arc::new(TokioRuntime),
+    )?;

    Ok(endpoint)
 }
--- a/net/quinn/tests/quinnquic.rs
+++ b/net/quinn/tests/quinnquic.rs
@ -18,9 +18,6 @@ fn init() {
    INIT.call_once(|| {
        gst::init().unwrap();
        gstquinn::plugin_register_static().expect("QUIC source sink send receive tests");
-        rustls::crypto::ring::default_provider()
-            .install_default()
-            .expect("Failed to install ring crypto provider");
    });
 }