From c88e4e751865ec6f3941f096f42e8cece13842b1 Mon Sep 17 00:00:00 2001
From: Alexander Lyon <arlyon@me.com>
Date: Mon, 1 Apr 2024 15:09:29 +0100
Subject: [PATCH] bump tokio-rustls (#8217)

* bump tokio-rustls

Note that rustls is not on the latest minor since tokio-rustls
has not updated yet.

* Add vet exemptions

* Update ureq to trim the crate graph

* Add vet for ureq

* Fix compile on riscv

---------

Co-authored-by: Alex Crichton <alex@alexcrichton.com>
---
 Cargo.lock                    | 81 +++++++++++++++++++----------------
 crates/wasi-http/Cargo.toml   |  6 +--
 crates/wasi-http/src/types.rs | 23 +++++-----
 supply-chain/config.toml      | 40 +++++++++++++++++
 supply-chain/imports.lock     |  7 +++
 5 files changed, 106 insertions(+), 51 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index fc4bd14c26..177f28b641 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2327,17 +2327,16 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.16.20"
+version = "0.17.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+checksum = "9babe80d5c16becf6594aa32ad2be8fe08498e7ae60b77de8df700e67f191d7e"
 dependencies = [
  "cc",
+ "getrandom",
  "libc",
- "once_cell",
- "spin 0.5.2",
+ "spin",
  "untrusted",
- "web-sys",
- "winapi",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
@@ -2369,23 +2368,32 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.21.6"
+version = "0.22.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb"
+checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41"
 dependencies = [
  "log",
  "ring",
+ "rustls-pki-types",
  "rustls-webpki",
- "sct",
+ "subtle",
+ "zeroize",
 ]
 
+[[package]]
+name = "rustls-pki-types"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ede67b28608b4c60685c7d54122d4400d90f62b40caee7700e700380a390fa8"
+
 [[package]]
 name = "rustls-webpki"
-version = "0.101.4"
+version = "0.102.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
+checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610"
 dependencies = [
  "ring",
+ "rustls-pki-types",
  "untrusted",
 ]
 
@@ -2428,16 +2436,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
-[[package]]
-name = "sct"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "semver"
 version = "1.0.17"
@@ -2595,12 +2593,6 @@ dependencies = [
  "smallvec",
 ]
 
-[[package]]
-name = "spin"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
-
 [[package]]
 name = "spin"
 version = "0.9.4"
@@ -2631,6 +2623,12 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
+[[package]]
+name = "subtle"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+
 [[package]]
 name = "symbolic_expressions"
 version = "5.0.3"
@@ -2855,11 +2853,12 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.24.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e0d409377ff5b1e3ca6437aa86c1eb7d40c134bfec254e44c830defa92669db5"
+checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
 dependencies = [
  "rustls",
+ "rustls-pki-types",
  "tokio",
 ]
 
@@ -3026,20 +3025,21 @@ checksum = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04"
 
 [[package]]
 name = "untrusted"
-version = "0.7.1"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "ureq"
-version = "2.9.1"
+version = "2.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8cdd25c339e200129fe4de81451814e5228c9b771d57378817d6117cc2b3f97"
+checksum = "11f214ce18d8b2cbe84ed3aa6486ed3f5b285cf8d8fbdbce9f3f767a724adc35"
 dependencies = [
  "base64",
  "log",
  "once_cell",
  "rustls",
+ "rustls-pki-types",
  "rustls-webpki",
  "url",
  "webpki-roots",
@@ -3334,7 +3334,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "acfc1e384a36ca532d070a315925887247f3c7e23567e23e0ac9b1c5d6b8bf76"
 dependencies = [
  "smallvec",
- "spin 0.9.4",
+ "spin",
  "wasmi_arena",
  "wasmi_core",
  "wasmparser-nostd",
@@ -4011,9 +4011,12 @@ dependencies = [
 
 [[package]]
 name = "webpki-roots"
-version = "0.25.2"
+version = "0.26.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14247bb57be4f377dfb94c72830b8ce8fc6beac03cf4bf7b9732eadd414123fc"
+checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009"
+dependencies = [
+ "rustls-pki-types",
+]
 
 [[package]]
 name = "which"
@@ -4470,6 +4473,12 @@ dependencies = [
  "syn 2.0.32",
 ]
 
+[[package]]
+name = "zeroize"
+version = "1.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+
 [[package]]
 name = "zstd"
 version = "0.13.0"
diff --git a/crates/wasi-http/Cargo.toml b/crates/wasi-http/Cargo.toml
index cd9c097ce2..9c9400ab94 100644
--- a/crates/wasi-http/Cargo.toml
+++ b/crates/wasi-http/Cargo.toml
@@ -30,9 +30,9 @@ wasmtime = { workspace = true, features = ['component-model'] }
 
 # The `ring` crate, used to implement TLS, does not build on riscv64 or s390x
 [target.'cfg(not(any(target_arch = "riscv64", target_arch = "s390x")))'.dependencies]
-tokio-rustls = { version = "0.24.0" }
-rustls = { version = "0.21.6" }
-webpki-roots = { version = "0.25.2" }
+tokio-rustls = { version = "0.25.0" }
+rustls = { version = "0.22.0" }
+webpki-roots = { version = "0.26.0" }
 
 [dev-dependencies]
 test-programs-artifacts = { workspace = true }
diff --git a/crates/wasi-http/src/types.rs b/crates/wasi-http/src/types.rs
index 839af33f1f..5c1b207e9f 100644
--- a/crates/wasi-http/src/types.rs
+++ b/crates/wasi-http/src/types.rs
@@ -177,28 +177,27 @@ async fn handler(
 
         #[cfg(not(any(target_arch = "riscv64", target_arch = "s390x")))]
         {
-            use tokio_rustls::rustls::OwnedTrustAnchor;
+            use rustls::pki_types::{ServerName, TrustAnchor};
 
             // derived from https://github.com/tokio-rs/tls/blob/master/tokio-rustls/examples/client/src/main.rs
             let mut root_cert_store = rustls::RootCertStore::empty();
-            root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-                OwnedTrustAnchor::from_subject_spki_name_constraints(
-                    ta.subject,
-                    ta.spki,
-                    ta.name_constraints,
-                )
+            root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| TrustAnchor {
+                name_constraints: ta.name_constraints.to_owned(),
+                subject: ta.subject.to_owned(),
+                subject_public_key_info: ta.subject_public_key_info.to_owned(),
             }));
             let config = rustls::ClientConfig::builder()
-                .with_safe_defaults()
                 .with_root_certificates(root_cert_store)
                 .with_no_client_auth();
             let connector = tokio_rustls::TlsConnector::from(std::sync::Arc::new(config));
             let mut parts = authority.split(":");
             let host = parts.next().unwrap_or(&authority);
-            let domain = rustls::ServerName::try_from(host).map_err(|e| {
-                tracing::warn!("dns lookup error: {e:?}");
-                dns_error("invalid dns name".to_string(), 0)
-            })?;
+            let domain = ServerName::try_from(host)
+                .map_err(|e| {
+                    tracing::warn!("dns lookup error: {e:?}");
+                    dns_error("invalid dns name".to_string(), 0)
+                })?
+                .to_owned();
             let stream = connector.connect(domain, tcp_stream).await.map_err(|e| {
                 tracing::warn!("tls protocol error: {e:?}");
                 types::ErrorCode::TlsProtocolError
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index c4c5b43210..369826159e 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -482,6 +482,22 @@ version = "0.16.20"
 criteria = "safe-to-deploy"
 notes = "contains assembly language and object file implementations of crypto primitives for a very large number of platforms"
 
+[[exemptions.ring]]
+version = "0.17.3"
+criteria = "safe-to-deploy"
+
+[[exemptions.rustls]]
+version = "0.22.2"
+criteria = "safe-to-deploy"
+
+[[exemptions.rustls-pki-types]]
+version = "1.3.1"
+criteria = "safe-to-deploy"
+
+[[exemptions.rustls-webpki]]
+version = "0.102.2"
+criteria = "safe-to-deploy"
+
 [[exemptions.rusty-fork]]
 version = "0.3.0"
 criteria = "safe-to-deploy"
@@ -514,6 +530,10 @@ criteria = "safe-to-deploy"
 version = "0.5.2"
 criteria = "safe-to-deploy"
 
+[[exemptions.spin]]
+version = "0.9.4"
+criteria = "safe-to-deploy"
+
 [[exemptions.stable_deref_trait]]
 version = "1.2.0"
 criteria = "safe-to-deploy"
@@ -547,6 +567,10 @@ notes = "we are exempting tokio, hyper, and their tightly coupled dependencies b
 version = "1.7.0"
 criteria = "safe-to-deploy"
 
+[[exemptions.tokio-rustls]]
+version = "0.25.0"
+criteria = "safe-to-deploy"
+
 [[exemptions.tracing]]
 version = "0.1.34"
 criteria = "safe-to-deploy"
@@ -563,6 +587,14 @@ criteria = "safe-to-deploy"
 version = "1.15.0"
 criteria = "safe-to-deploy"
 
+[[exemptions.untrusted]]
+version = "0.9.0"
+criteria = "safe-to-deploy"
+
+[[exemptions.ureq]]
+version = "2.9.6"
+criteria = "safe-to-deploy"
+
 [[exemptions.uuid]]
 version = "1.0.0"
 criteria = "safe-to-deploy"
@@ -600,6 +632,10 @@ version = "0.3.57"
 criteria = "safe-to-deploy"
 notes = "dependency of ring for wasm32 browser platform, which our project does not target"
 
+[[exemptions.webpki-roots]]
+version = "0.26.1"
+criteria = "safe-to-deploy"
+
 [[exemptions.winapi]]
 version = "0.3.9"
 criteria = "safe-to-deploy"
@@ -620,6 +656,10 @@ criteria = "safe-to-deploy"
 version = "0.7.32"
 criteria = "safe-to-deploy"
 
+[[exemptions.zeroize]]
+version = "1.7.0"
+criteria = "safe-to-deploy"
+
 [[exemptions.zstd]]
 version = "0.11.1+zstd.1.5.2"
 criteria = "safe-to-deploy"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 6226ab23de..a4490981e3 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -2021,6 +2021,13 @@ criteria = "safe-to-deploy"
 delta = "0.4.6 -> 0.4.7"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.subtle]]
+who = "Simon Friedberger <simon@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "2.5.0"
+notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation."
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.tempfile]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"