From af54b2396b8ba19c3ba24fe8ba850760eb51b249 Mon Sep 17 00:00:00 2001
From: Sanchayan Maity <sanchayan@asymptotic.io>
Date: Wed, 23 Oct 2024 17:40:31 +0530
Subject: [PATCH] net/quinn: Specify crypto provider explicitly

rustls allows the choice of ring or aws-lc-rs as the cryptographic
library implementation. This is enabled/selected via Cargo feature
flags. We have plugins directly or indirectly depending on rustls
like quinn, aws and spotify. In the presence of multiple plugins,
selecting different implementations as the default, rustls can
panic.

The safest way to avoid this is by using builder_with_provider
and selecting a provider explicitly.

See below issues for further discussion and clarifications.
https://github.com/rustls/rustls/issues/1877
https://github.com/seanmonstar/reqwest/pull/2225

While at it, also specify features explicitly for quinn and rustls.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/merge_requests/1878>
---
 Cargo.lock                   | 76 +-----------------------------------
 net/quinn/Cargo.toml         |  6 +--
 net/quinn/src/utils.rs       | 44 +++++++++++++++------
 net/quinn/tests/quinnquic.rs |  3 --
 4 files changed, 35 insertions(+), 94 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 72fd98652..489b20abb 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1049,12 +1049,6 @@ dependencies = [
  "thiserror",
 ]
 
-[[package]]
-name = "cesu8"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
-
 [[package]]
 name = "cexpr"
 version = "0.6.0"
@@ -1214,16 +1208,6 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0"
 
-[[package]]
-name = "combine"
-version = "4.6.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
-dependencies = [
- "bytes",
- "memchr",
-]
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -4357,26 +4341,6 @@ version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
 
-[[package]]
-name = "jni"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c6df18c2e3db7e453d3c6ac5b3e9d5182664d28788126d39b91f2d1e22b017ec"
-dependencies = [
- "cesu8",
- "combine",
- "jni-sys",
- "log",
- "thiserror",
- "walkdir",
-]
-
-[[package]]
-name = "jni-sys"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
-
 [[package]]
 name = "jobserver"
 version = "0.1.32"
@@ -5775,7 +5739,6 @@ dependencies = [
  "ring",
  "rustc-hash 2.0.0",
  "rustls 0.23.15",
- "rustls-platform-verifier",
  "slab",
  "thiserror",
  "tinyvec",
@@ -6033,7 +5996,7 @@ dependencies = [
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
- "webpki-roots 0.25.4",
+ "webpki-roots",
  "winreg",
 ]
 
@@ -6350,33 +6313,6 @@ version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b"
 
-[[package]]
-name = "rustls-platform-verifier"
-version = "0.3.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "afbb878bdfdf63a336a5e63561b1835e7a8c91524f51621db870169eac84b490"
-dependencies = [
- "core-foundation",
- "core-foundation-sys",
- "jni",
- "log",
- "once_cell",
- "rustls 0.23.15",
- "rustls-native-certs 0.7.3",
- "rustls-platform-verifier-android",
- "rustls-webpki 0.102.8",
- "security-framework",
- "security-framework-sys",
- "webpki-roots 0.26.6",
- "winapi",
-]
-
-[[package]]
-name = "rustls-platform-verifier-android"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
-
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@@ -6500,7 +6436,6 @@ dependencies = [
  "core-foundation",
  "core-foundation-sys",
  "libc",
- "num-bigint",
  "security-framework-sys",
 ]
 
@@ -7913,15 +7848,6 @@ version = "0.25.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"
 
-[[package]]
-name = "webpki-roots"
-version = "0.26.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "weezl"
 version = "0.1.8"
diff --git a/net/quinn/Cargo.toml b/net/quinn/Cargo.toml
index a3d761ac3..66890d691 100644
--- a/net/quinn/Cargo.toml
+++ b/net/quinn/Cargo.toml
@@ -15,9 +15,9 @@ gst.workspace = true
 gst-base.workspace = true
 tokio = { version = "1.36.0", default-features = false, features = ["time", "rt-multi-thread"] }
 futures = "0.3.30"
-quinn = { version = "0.11.2", default-features = true, features = ["ring"]}
-quinn-proto = "0.11.2"
-rustls = { version = "0.23", default-features = false, features = ["ring", "std"]}
+quinn = { version = "0.11.5", default-features = false, features = ["ring", "rustls", "runtime-tokio"] }
+quinn-proto ={ version = "0.11.8", default-features = false, features = ["rustls"] }
+rustls = { version = "0.23", default-features = false, features = ["std"] }
 rustls-pemfile = "2"
 rustls-pki-types = "1"
 rcgen = "0.13"
diff --git a/net/quinn/src/utils.rs b/net/quinn/src/utils.rs
index 938708ecf..40588693b 100644
--- a/net/quinn/src/utils.rs
+++ b/net/quinn/src/utils.rs
@@ -12,9 +12,8 @@ use futures::future;
 use futures::prelude::*;
 use gst::ErrorMessage;
 use quinn::{
-    crypto::rustls::QuicClientConfig, crypto::rustls::QuicServerConfig, default_runtime,
-    ClientConfig, Connection, Endpoint, EndpointConfig, MtuDiscoveryConfig, ServerConfig,
-    TransportConfig,
+    crypto::rustls::QuicClientConfig, crypto::rustls::QuicServerConfig, ClientConfig, Connection,
+    Endpoint, EndpointConfig, MtuDiscoveryConfig, ServerConfig, TokioRuntime, TransportConfig,
 };
 use quinn_proto::{ConnectionStats, FrameStats, PathStats, UdpStats};
 use std::error::Error;
@@ -209,6 +208,8 @@ impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
 }
 
 fn configure_client(ep_config: &QuinnQuicEndpointConfig) -> Result<ClientConfig, Box<dyn Error>> {
+    let ring_provider = rustls::crypto::ring::default_provider();
+
     let mut crypto = if ep_config.secure_conn {
         let (certs, key) = read_certs_from_file(
             ep_config.certificate_file.clone(),
@@ -217,11 +218,15 @@ fn configure_client(ep_config: &QuinnQuicEndpointConfig) -> Result<ClientConfig,
         let mut cert_store = rustls::RootCertStore::empty();
         cert_store.add_parsable_certificates(certs.clone());
 
-        rustls::ClientConfig::builder()
+        rustls::ClientConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
             .with_root_certificates(Arc::new(cert_store))
             .with_client_auth_cert(certs, key)?
     } else {
-        rustls::ClientConfig::builder()
+        rustls::ClientConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
             .dangerous()
             .with_custom_certificate_verifier(SkipServerVerification::new())
             .with_no_client_auth()
@@ -340,18 +345,28 @@ fn configure_server(
         (cert_chain, priv_key)
     };
 
+    let ring_provider = rustls::crypto::ring::default_provider();
+
     let mut crypto = if ep_config.secure_conn {
         let mut cert_store = rustls::RootCertStore::empty();
         cert_store.add_parsable_certificates(certs.clone());
 
-        let auth_client = rustls::server::WebPkiClientVerifier::builder(Arc::new(cert_store))
-            .build()
-            .unwrap();
-        rustls::ServerConfig::builder()
+        let auth_client = rustls::server::WebPkiClientVerifier::builder_with_provider(
+            Arc::new(cert_store),
+            ring_provider.clone().into(),
+        )
+        .build()
+        .unwrap();
+
+        rustls::ServerConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
             .with_client_cert_verifier(auth_client)
             .with_single_cert(certs.clone(), key)
     } else {
-        rustls::ServerConfig::builder()
+        rustls::ServerConfig::builder_with_provider(ring_provider.into())
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
             .with_no_client_auth()
             .with_single_cert(certs.clone(), key)
     }?;
@@ -394,13 +409,16 @@ fn configure_server(
 pub fn server_endpoint(ep_config: &QuinnQuicEndpointConfig) -> Result<Endpoint, Box<dyn Error>> {
     let (server_config, _) = configure_server(ep_config)?;
     let socket = std::net::UdpSocket::bind(ep_config.server_addr)?;
-    let runtime = default_runtime()
-        .ok_or_else(|| std::io::Error::new(std::io::ErrorKind::Other, "No async runtime found"))?;
     let endpoint_config = EndpointConfig::default()
         .max_udp_payload_size(ep_config.transport_config.max_udp_payload_size)
         .unwrap()
         .to_owned();
-    let endpoint = Endpoint::new(endpoint_config, Some(server_config), socket, runtime)?;
+    let endpoint = Endpoint::new(
+        endpoint_config,
+        Some(server_config),
+        socket,
+        Arc::new(TokioRuntime),
+    )?;
 
     Ok(endpoint)
 }
diff --git a/net/quinn/tests/quinnquic.rs b/net/quinn/tests/quinnquic.rs
index 0e071f370..911ce5201 100644
--- a/net/quinn/tests/quinnquic.rs
+++ b/net/quinn/tests/quinnquic.rs
@@ -18,9 +18,6 @@ fn init() {
     INIT.call_once(|| {
         gst::init().unwrap();
         gstquinn::plugin_register_static().expect("QUIC source sink send receive tests");
-        rustls::crypto::ring::default_provider()
-            .install_default()
-            .expect("Failed to install ring crypto provider");
     });
 }