Merge branch 'upgrade-rustls'

3 files changed, 57 insertions, 46 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 1aa3fb75ad..483cb54781 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -259,15 +259,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea221b5284a47e40033bf9b66f35f984ec0ea2931eb03505246cd27a963f981b"
 
 [[package]]
-name = "ct-logs"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1a816186fa68d9e426e3cb4ae4dff1fcd8e4a2c34b781bf7a822574a0d0aac8"
-dependencies = [
- "sct",
-]
-
-[[package]]
 name = "ctrlc"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -891,19 +882,17 @@ dependencies = [
 
 [[package]]
 name = "hyper-rustls"
-version = "0.22.1"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f9f7a97316d44c0af9b0301e65010573a853a9fc97046d7331d7f6bc0fd5a64"
+checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac"
 dependencies = [
- "ct-logs",
- "futures-util",
+ "http",
  "hyper",
  "log",
  "rustls",
  "rustls-native-certs",
  "tokio",
  "tokio-rustls",
- "webpki",
 ]
 
 [[package]]
@@ -1459,6 +1448,7 @@ dependencies = [
  "mullvad-types",
  "rand 0.7.3",
  "regex",
+ "rustls-pemfile",
  "serde",
  "serde_json",
  "talpid-types",
@@ -1466,7 +1456,7 @@ dependencies = [
  "tokio-rustls",
  "tokio-stream",
  "urlencoding",
- "webpki",
+ "webpki 0.21.4",
 ]
 
 [[package]]
@@ -2253,30 +2243,38 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.19.1"
+version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7"
+checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84"
 dependencies = [
- "base64",
  "log",
  "ring",
  "sct",
- "webpki",
+ "webpki 0.22.0",
 ]
 
 [[package]]
 name = "rustls-native-certs"
-version = "0.5.0"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092"
+checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943"
 dependencies = [
  "openssl-probe",
- "rustls",
+ "rustls-pemfile",
  "schannel",
  "security-framework",
 ]
 
 [[package]]
+name = "rustls-pemfile"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
+dependencies = [
+ "base64",
+]
+
+[[package]]
 name = "rustversion"
 version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -2315,9 +2313,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
 [[package]]
 name = "sct"
-version = "0.6.1"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
 dependencies = [
  "ring",
  "untrusted",
@@ -2828,13 +2826,13 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.22.0"
+version = "0.23.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6"
+checksum = "a27d5f2b839802bd8267fa19b0530f5a08b9c08cd417976be2a65d130fe1c11b"
 dependencies = [
  "rustls",
  "tokio",
- "webpki",
+ "webpki 0.22.0",
 ]
 
 [[package]]
@@ -3341,6 +3339,16 @@ dependencies = [
 ]
 
 [[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
+[[package]]
 name = "which"
 version = "4.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
diff --git a/mullvad-rpc/Cargo.toml b/mullvad-rpc/Cargo.toml
index 4f1c0f06dc..a8ae423877 100644
--- a/mullvad-rpc/Cargo.toml
+++ b/mullvad-rpc/Cargo.toml
@@ -23,9 +23,10 @@ rand = "0.7"
 regex = "1"
 serde = "1"
 serde_json = "1.0"
-hyper-rustls = "0.22"
+hyper-rustls = "0.23"
 tokio = { version = "1.8", features = [ "macros", "time", "rt-multi-thread", "net", "io-std", "fs" ] }
-tokio-rustls = "0.22"
+tokio-rustls = "0.23"
+rustls-pemfile = "0.2"
 urlencoding = "1"
 webpki = { version = "0.21", features =  [] }
 lazy_static = "1.1.0"
diff --git a/mullvad-rpc/src/https_client_with_sni.rs b/mullvad-rpc/src/https_client_with_sni.rs
index 271554b1c4..63867f54e8 100644
--- a/mullvad-rpc/src/https_client_with_sni.rs
+++ b/mullvad-rpc/src/https_client_with_sni.rs
@@ -10,6 +10,7 @@ use hyper::{
     Uri,
 };
 use hyper_rustls::MaybeHttpsStream;
+use rustls::ServerName;
 #[cfg(target_os = "android")]
 use std::os::unix::io::{AsRawFd, RawFd};
 use std::{
@@ -27,8 +28,7 @@ use std::{
 use tokio::net::TcpSocket;
 
 use tokio::{net::TcpStream as TokioTcpStream, runtime::Handle, time::timeout};
-use tokio_rustls::rustls::{self, ProtocolVersion};
-use webpki::DNSNameRef;
+use tokio_rustls::rustls;
 
 // New LetsEncrypt root certificate
 const LE_ROOT_CERT: &[u8] = include_bytes!("../le_root_cert.pem");
@@ -51,21 +51,19 @@ pub struct HttpsConnectorWithSni {
 pub type SocketBypassRequest = (RawFd, oneshot::Sender<()>);
 
 impl HttpsConnectorWithSni {
-    /// Construct a new HttpsConnectorWithSni.
-    ///
-    /// Takes number of DNS worker threads.
-    ///
-    /// This uses hyper's default `HttpConnector`, and default `TlsConnector`.
-    /// If you wish to use something besides the defaults, use `From::from`.
     pub fn new(
         handle: Handle,
         sni_hostname: Option<String>,
         #[cfg(target_os = "android")] socket_bypass_tx: Option<mpsc::Sender<SocketBypassRequest>>,
     ) -> Self {
-        let mut config = rustls::ClientConfig::new();
+        let mut config = rustls::ClientConfig::builder()
+            .with_safe_default_cipher_suites()
+            .with_safe_default_kx_groups()
+            .with_protocol_versions(&[&rustls::version::TLS13])
+            .unwrap()
+            .with_root_certificates(Self::read_cert_store())
+            .with_no_client_auth();
         config.enable_sni = true;
-        config.root_store = Self::read_cert_store();
-        config.versions = vec![ProtocolVersion::TLSv1_3];
 
         HttpsConnectorWithSni {
             next_socket_id: 0,
@@ -81,11 +79,11 @@ impl HttpsConnectorWithSni {
     fn read_cert_store() -> rustls::RootCertStore {
         let mut cert_store = rustls::RootCertStore::empty();
 
-        let (num_certs_added, num_failures) = cert_store
-            .add_pem_file(&mut BufReader::new(LE_ROOT_CERT))
-            .expect("Failed to add new root cert");
+        let certs = rustls_pemfile::certs(&mut BufReader::new(LE_ROOT_CERT))
+            .expect("Failed to parse pem file");
+        let (num_certs_added, num_failures) = cert_store.add_parsable_certificates(&certs);
         if num_failures > 0 || num_certs_added != 1 {
-            panic!("Failed to add new root cert");
+            panic!("Failed to add root cert");
         }
 
         cert_store
@@ -198,8 +196,12 @@ impl Service<Uri> for HttpsConnectorWithSni {
             }
 
             let hostname = sni_hostname?;
-            let host = DNSNameRef::try_from_ascii_str(&hostname)
-                .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid hostname"))?;
+            let host = ServerName::try_from(hostname.as_str()).map_err(|_| {
+                io::Error::new(
+                    io::ErrorKind::InvalidInput,
+                    format!("invalid hostname \"{}\"", hostname),
+                )
+            })?;
             let addr = Self::resolve_address(&uri).await?;
 
             let tokio_connection = Self::open_socket(