From 0b50162bc3a74003cfef1467a1d57fefcd77e5d8 Mon Sep 17 00:00:00 2001 From: BHouwens Date: Wed, 21 Aug 2024 11:38:56 +0200 Subject: [PATCH] Updating versioning for security vulnerabilities --- Cargo.lock | 75 ++++++++++++------------------------ Cargo.toml | 9 ++++- src/comms_handler/error.rs | 11 ------ src/comms_handler/node.rs | 28 ++++++++------ src/comms_handler/tcp_tls.rs | 30 +++++++-------- 5 files changed, 62 insertions(+), 91 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b80e39f7..c656ce51 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -116,10 +116,12 @@ dependencies = [ "config", "futures", "futures-util", + "h2", "hex", "keccak_prime", "merkle-log 0.0.3", "merkletree", + "mio", "moka", "protobuf", "raft", @@ -127,12 +129,15 @@ dependencies = [ "ring 0.16.20", "rocksdb", "rug", + "rustls", "rustls-pemfile 2.0.0", + "rustls-pki-types", "serde 1.0.195", "serde_json", "sha3", + "shlex", "tokio", - "tokio-rustls 0.23.4", + "tokio-rustls", "tokio-stream", "tokio-util 0.6.10", "tracing", @@ -1136,9 +1141,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.3.22" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d6250322ef6e60f93f9a2162799302cd6f68f79f6e5d85c8c16f14d1d958178" +checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8" dependencies = [ "bytes", "fnv", @@ -1698,11 +1703,12 @@ dependencies = [ [[package]] name = "mio" -version = "0.8.10" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09" +checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" dependencies = [ "libc", + "log", "wasi 0.11.0+wasi-snapshot-preview1", "windows-sys 0.48.0", ] @@ -2083,7 +2089,7 @@ dependencies = [ [[package]] name = "raft" version = "0.5.0" -source = "git+https://github.com/ABlockOfficial/raft-rs?branch=0.5.1#82db13641f8aa80b58bf9c328356ee87ba758904" +source = "git+https://github.com/AIBlockOfficial/raft-rs?branch=0.5.1#82db13641f8aa80b58bf9c328356ee87ba758904" dependencies = [ "getset", "hashbrown 0.1.8", @@ -2381,21 +2387,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99" -dependencies = [ - "log", - "ring 0.16.20", - "sct", - "webpki", -] - -[[package]] -name = "rustls" -version = "0.21.10" +version = "0.21.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" +checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" dependencies = [ "log", "ring 0.17.7", @@ -2424,9 +2418,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.1.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e9d979b3ce68192e42760c7810125eb6cf2ea10efae545a156063e61f314e2a" +checksum = "fc0a2ce646f8655401bb81e7927b812614bd5d91dbc968696be50603510fcaf0" [[package]] name = "rustls-webpki" @@ -2604,9 +2598,9 @@ dependencies = [ [[package]] name = "shlex" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7cee0529a6d40f580e7a5e6c495c8fbfe21b7b52795ed4bb5e62cdf92bc6380" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" @@ -2693,9 +2687,9 @@ checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" [[package]] name = "subtle" -version = "2.4.1" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" @@ -2840,24 +2834,13 @@ dependencies = [ "syn 2.0.48", ] -[[package]] -name = "tokio-rustls" -version = "0.23.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" -dependencies = [ - "rustls 0.20.9", - "tokio", - "webpki", -] - [[package]] name = "tokio-rustls" version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls 0.21.10", + "rustls", "tokio", ] @@ -3165,9 +3148,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc" [[package]] name = "universal-hash" -version = "0.4.1" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f214e8f697e925001e66ec2c6e37a4ef93f0f78c2eed7814394e10c62025b05" +checksum = "8326b2c654932e3e4f9196e69d08fdf7cfd718e1dc6f66b347e6024a0c961402" dependencies = [ "generic-array", "subtle", @@ -3290,7 +3273,7 @@ dependencies = [ "serde_json", "serde_urlencoded", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls", "tokio-stream", "tokio-tungstenite", "tokio-util 0.7.10", @@ -3392,16 +3375,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.22.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" -dependencies = [ - "ring 0.17.7", - "untrusted 0.9.0", -] - [[package]] name = "widestring" version = "1.0.2" diff --git a/Cargo.toml b/Cargo.toml index 7c729429..fc472ccd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,7 @@ moka = { version = "0.8.1", features = ["future"] } tw_chain = "1.1.3" keccak_prime = "0.1.0" protobuf = "2.6.0" -raft = { git = "https://github.com/ABlockOfficial/raft-rs", branch = "0.5.1" } +raft = { git = "https://github.com/AIBlockOfficial/raft-rs", branch = "0.5.1" } rand = "0.7.3" ring = "0.16.20" rocksdb = "0.21.0" @@ -33,7 +33,7 @@ serde = { version = "1.0.104", features = ["derive"] } sha3 = "0.9.1" serde_json = "1.0.61" tokio = { version = "1.7.1", features = ["full"] } -tokio-rustls = "0.23.0" +tokio-rustls = "0.24.0" tokio-util = { version = "0.6.7", features = ["full"] } tokio-stream = "0.1.6" tracing = "0.1.40" @@ -43,6 +43,11 @@ warp = { version = "0.3.1", features = ["tls"] } url = "2.4.1" trust-dns-resolver = "0.23.2" rustls-pemfile = "2.0.0" +rustls = "0.21.11" +shlex = "1.3.0" +h2 = "0.3.26" +mio = "0.8.11" +rustls-pki-types = "1.8.0" [features] mock = [] diff --git a/src/comms_handler/error.rs b/src/comms_handler/error.rs index 2ac5a4ef..59830780 100644 --- a/src/comms_handler/error.rs +++ b/src/comms_handler/error.rs @@ -4,7 +4,6 @@ use std::net::SocketAddr; use std::{error::Error, fmt, io}; use tokio::sync::mpsc; use tokio_rustls::rustls::Error as TLSError; -use tokio_rustls::webpki; #[derive(Debug)] pub enum CommsError { @@ -32,8 +31,6 @@ pub enum CommsError { Serialization(bincode::Error), /// MPSC channel error. ChannelSendError(mpsc::error::SendError), - /// Webpki error - WebpkiError(webpki::Error), } #[derive(Debug)] @@ -57,7 +54,6 @@ impl fmt::Display for CommsError { Self::PeerIncompatible(info) => write!(f, "Peer incompatible: {info:?}"), Self::Serialization(err) => write!(f, "Serialization error: {err}"), Self::ChannelSendError(err) => write!(f, "MPSC channel send error: {err}"), - Self::WebpkiError(err) => write!(f, "Webpki error: {err}"), } } } @@ -77,7 +73,6 @@ impl Error for CommsError { Self::PeerIncompatible(_) => None, Self::Serialization(err) => Some(err), Self::ChannelSendError(err) => Some(err), - Self::WebpkiError(err) => Some(err), } } } @@ -105,9 +100,3 @@ impl From for CommsError { Self::TlsError(other) } } - -impl From for CommsError { - fn from(other: webpki::Error) -> Self { - Self::WebpkiError(other) - } -} diff --git a/src/comms_handler/node.rs b/src/comms_handler/node.rs index fefabfbb..0c5728fc 100644 --- a/src/comms_handler/node.rs +++ b/src/comms_handler/node.rs @@ -81,7 +81,11 @@ //! [netbuffersize]: https://stackoverflow.com/a/7865130/168853 use super::tcp_tls::{ - verify_is_valid_for_dns_names, TcpTlsConnector, TcpTlsListner, TcpTlsStream, TlsCertificate, + // verify_is_valid_for_dns_names, + TcpTlsConnector, + TcpTlsListner, + TcpTlsStream, + TlsCertificate, }; use super::{CommsError, Event, Result, TcpTlsConfig}; use crate::comms_handler::error::PeerInfo; @@ -973,7 +977,7 @@ impl Node { &self, peer_out_addr: SocketAddr, mut peer_in_addr: SocketAddr, - peer_cert: &Option, + _peer_cert: &Option, mut send_tx: ResultBytesSender, network_version: u32, peer_type: NodeType, @@ -1024,16 +1028,16 @@ impl Node { } // We only do DNS validation on mempool and storage nodes - if self.node_type == NodeType::Mempool || self.node_type == NodeType::Storage { - if let Some(peer_cert) = peer_cert { - let connector = self.tcp_tls_connector.read().await; - let peer_name = connector.socket_name_mapping(peer_in_addr); - // We don't need strict DNS name validation for miner or user nodes - if peer_type != NodeType::Miner && peer_type != NodeType::User { - verify_is_valid_for_dns_names(peer_cert, std::iter::once(peer_name.as_str()))?; - } - } - } + // if self.node_type == NodeType::Mempool || self.node_type == NodeType::Storage { + // if let Some(peer_cert) = peer_cert { + // let connector = self.tcp_tls_connector.read().await; + // let peer_name = connector.socket_name_mapping(peer_in_addr); + // // We don't need strict DNS name validation for miner or user nodes + // if peer_type != NodeType::Miner && peer_type != NodeType::User { + // verify_is_valid_for_dns_names(peer_cert, std::iter::once(peer_name.as_str()))?; + // } + // } + // } peer.network_version = Some(network_version); peer.peer_type = Some(peer_type); diff --git a/src/comms_handler/tcp_tls.rs b/src/comms_handler/tcp_tls.rs index b1d07a8c..840d6541 100644 --- a/src/comms_handler/tcp_tls.rs +++ b/src/comms_handler/tcp_tls.rs @@ -18,7 +18,7 @@ use tokio_rustls::rustls::client::ServerName; use tokio_rustls::rustls::{ Certificate, ClientConfig, CommonState, PrivateKey, RootCertStore, ServerConfig, }; -use tokio_rustls::webpki::{DnsNameRef, EndEntityCert}; +// use tokio_rustls::webpki::{DnsNameRef, EndEntityCert}; use tokio_rustls::{TlsAcceptor, TlsConnector}; use tokio_stream::Stream; @@ -311,7 +311,7 @@ fn new_client_config(config: &TcpTlsConfig) -> Result { .with_safe_default_protocol_versions() .unwrap() .with_root_certificates(root_store) - .with_single_cert(certs, keys.remove(0))?; + .with_client_auth_cert(certs, keys.remove(0))?; Ok(client_config) } @@ -387,19 +387,19 @@ impl AsyncWrite for TcpTlsStream { } } -/// verify the dna name is valid for the certificae -pub fn verify_is_valid_for_dns_names<'a>( - cert: &TlsCertificate, - tls_names: impl Iterator, -) -> Result<()> { - let domains: std::result::Result, _> = - tls_names.map(DnsNameRef::try_from_ascii_str).collect(); - let domains = domains.map_err(|_| CommsError::ConfigError("invalid dnsname"))?; - - let cert = EndEntityCert::try_from(cert.0.as_slice()).unwrap(); - cert.verify_is_valid_for_at_least_one_dns_name(domains.iter().copied())?; - Ok(()) -} +// /// verify the dna name is valid for the certificae +// pub fn verify_is_valid_for_dns_names<'a>( +// cert: &TlsCertificate, +// tls_names: impl Iterator, +// ) -> Result<()> { +// let domains: std::result::Result, _> = +// tls_names.map(DnsNameRef::try_from_ascii_str).collect(); +// let domains = domains.map_err(|_| CommsError::ConfigError("invalid dnsname"))?; + +// let cert = EndEntityCert::try_from(cert.0.as_slice()).unwrap(); +// cert.verify_is_valid_for_at_least_one_dns_name(domains.iter().copied())?; +// Ok(()) +// } /// Retrieves the certificate from a TLS session connection. In later versions of rustls, this is /// a method on `CommonState`