build(deps): Update rustls and ring (#2735)

This change updates the repo to uses the latest TLS dependencies. Stack canaries are not enabled in produced binaries due to changes in the TLS build.
2024-02-21 16:03:35 -08:00 · 2024-02-21 16:03:35 -08:00 · 10d68a46ab
parent e2d9652193
commit 10d68a46ab
11 changed files with 37 additions and 139 deletions
--- a/.checksec/amd64-gnu.json
+++ b/.checksec/amd64-gnu.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "yes",
  "relro": "full",
--- a/.checksec/amd64-musl.json
+++ b/.checksec/amd64-musl.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "yes",
  "relro": "full",
--- a/.checksec/arm-gnu.json
+++ b/.checksec/arm-gnu.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "yes",
  "relro": "full",
--- a/.checksec/arm-musl.json
+++ b/.checksec/arm-musl.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "no",
  "relro": "partial",
--- a/.checksec/arm64-gnu.json
+++ b/.checksec/arm64-gnu.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "yes",
  "relro": "full",
--- a/.checksec/arm64-musl.json
+++ b/.checksec/arm64-musl.json
@ -1,5 +1,5 @@
 {
-  "canary": "yes",
+  "canary": "no",
  "nx": "yes",
  "pie": "no",
  "relro": "partial",
--- a/Cargo.lock
+++ b/Cargo.lock
@ -276,12 +276,6 @@ dependencies = [
 "fslock",
 ]

-[[package]]
-name = "bumpalo"
-version = "3.14.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec"
-
 [[package]]
 name = "bytes"
 version = "1.5.0"
@ -971,15 +965,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "js-sys"
-version = "0.3.58"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3fac17f7123a73ca62df411b1bf727ccc805daa070338fda671c86dac1bdc27"
-dependencies = [
- "wasm-bindgen",
-]
-
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@ -1355,7 +1340,7 @@ name = "linkerd-dns-name"
 version = "0.1.0"
 dependencies = [
 "thiserror",
- "untrusted 0.7.1",
+ "untrusted",
 ]

 [[package]]
@ -1592,7 +1577,7 @@ dependencies = [
 "linkerd-stack",
 "linkerd-tls",
 "linkerd-tls-test-util",
- "ring 0.16.20",
+ "ring",
 "rustls-pemfile",
 "rustls-webpki",
 "thiserror",
@ -2104,7 +2089,7 @@ dependencies = [
 "tokio",
 "tower",
 "tracing",
- "untrusted 0.7.1",
+ "untrusted",
 ]

 [[package]]
@ -2775,7 +2760,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d918c80c5a4c7560db726763020bd16db179e4d5b828078842274a443addb5d"
 dependencies = [
 "pem",
- "ring 0.17.3",
+ "ring",
 "time",
 "yasna",
 ]
@ -2845,31 +2830,17 @@ dependencies = [

 [[package]]
 name = "ring"
-version = "0.16.20"
+version = "0.17.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
-dependencies = [
- "cc",
- "libc",
- "once_cell",
- "spin 0.5.2",
- "untrusted 0.7.1",
- "web-sys",
- "winapi",
-]
-
-[[package]]
-name = "ring"
-version = "0.17.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9babe80d5c16becf6594aa32ad2be8fe08498e7ae60b77de8df700e67f191d7e"
+checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
 dependencies = [
 "cc",
+ "cfg-if",
 "getrandom",
 "libc",
- "spin 0.9.8",
- "untrusted 0.9.0",
- "windows-sys 0.48.0",
+ "spin",
+ "untrusted",
+ "windows-sys 0.52.0",
 ]

 [[package]]
@ -2908,33 +2879,33 @@ dependencies = [

 [[package]]
 name = "rustls"
-version = "0.21.7"
+version = "0.21.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd8d6c9f025a446bc4d18ad9632e69aec8f287aa84499ee335599fabd20c3fd8"
+checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
 "log",
- "ring 0.16.20",
+ "ring",
 "rustls-webpki",
 "sct",
 ]

 [[package]]
 name = "rustls-pemfile"
-version = "1.0.1"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0864aeff53f8c05aa08d86e5ef839d3dfcf07aeba2db32f12db0ef716e87bd55"
+checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
 dependencies = [
- "base64 0.13.1",
+ "base64 0.21.5",
 ]

 [[package]]
 name = "rustls-webpki"
-version = "0.101.6"
+version = "0.101.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c7d5dece342910d9ba34d259310cae3e0154b873b35408b787b59bce53d34fe"
+checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
 dependencies = [
- "ring 0.16.20",
- "untrusted 0.7.1",
+ "ring",
+ "untrusted",
 ]

 [[package]]
@ -2957,12 +2928,12 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

 [[package]]
 name = "sct"
-version = "0.7.0"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
+checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
 dependencies = [
- "ring 0.16.20",
- "untrusted 0.7.1",
+ "ring",
+ "untrusted",
 ]

 [[package]]
@ -3085,12 +3056,6 @@ dependencies = [
 "tonic-build",
 ]

-[[package]]
-name = "spin"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
-
 [[package]]
 name = "spin"
 version = "0.9.8"
@ -3619,12 +3584,6 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"

-[[package]]
-name = "untrusted"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
-
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@ -3676,70 +3635,6 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"

-[[package]]
-name = "wasm-bindgen"
-version = "0.2.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994"
-dependencies = [
- "cfg-if",
- "wasm-bindgen-macro",
-]
-
-[[package]]
-name = "wasm-bindgen-backend"
-version = "0.2.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a"
-dependencies = [
- "bumpalo",
- "lazy_static",
- "log",
- "proc-macro2",
- "quote",
- "syn 1.0.109",
- "wasm-bindgen-shared",
-]
-
-[[package]]
-name = "wasm-bindgen-macro"
-version = "0.2.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa"
-dependencies = [
- "quote",
- "wasm-bindgen-macro-support",
-]
-
-[[package]]
-name = "wasm-bindgen-macro-support"
-version = "0.2.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 1.0.109",
- "wasm-bindgen-backend",
- "wasm-bindgen-shared",
-]
-
-[[package]]
-name = "wasm-bindgen-shared"
-version = "0.2.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be"
-
-[[package]]
-name = "web-sys"
-version = "0.3.58"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90"
-dependencies = [
- "js-sys",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "which"
 version = "4.4.2"
--- a/linkerd/dns/name/Cargo.toml
+++ b/linkerd/dns/name/Cargo.toml
@ -8,4 +8,4 @@ publish = false

 [dependencies]
 thiserror = "1"
-untrusted = "0.7"
+untrusted = "0.9"
--- a/linkerd/meshtls/rustls/Cargo.toml
+++ b/linkerd/meshtls/rustls/Cargo.toml
@ -11,7 +11,7 @@ test-util = ["linkerd-tls-test-util"]

 [dependencies]
 futures = { version = "0.3", default-features = false }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 rustls-pemfile = "1.0"
 rustls-webpki = { version = "0.101.5", features = ["std"] }
 thiserror = "1"
--- a/linkerd/meshtls/rustls/src/creds/store.rs
+++ b/linkerd/meshtls/rustls/src/creds/store.rs
@ -17,6 +17,7 @@ pub struct Store {
    server_name: dns::Name,
    client_tx: watch::Sender<Arc<rustls::ClientConfig>>,
    server_tx: watch::Sender<Arc<rustls::ServerConfig>>,
+    random: ring::rand::SystemRandom,
 }

 #[derive(Clone)]
@ -88,6 +89,7 @@ impl Store {
            server_name,
            client_tx,
            server_tx,
+            random: ring::rand::SystemRandom::new(),
        }
    }

@ -146,7 +148,8 @@ impl id::Credentials for Store {
        // Use the client's verifier to validate the certificate for our local name.
        self.validate(&chain)?;

-        let key = EcdsaKeyPair::from_pkcs8(SIGNATURE_ALG_RING_SIGNING, &key).map_err(InvalidKey)?;
+        let key = EcdsaKeyPair::from_pkcs8(SIGNATURE_ALG_RING_SIGNING, &key, &self.random)
+            .map_err(InvalidKey)?;

        let resolver = Arc::new(CertResolver(Arc::new(rustls::sign::CertifiedKey::new(
            chain,
--- a/linkerd/tls/Cargo.toml
+++ b/linkerd/tls/Cargo.toml
@ -21,7 +21,7 @@ thiserror = "1"
 tokio = { version = "1", features = ["macros", "time"] }
 tower = "0.4"
 tracing = "0.1"
-untrusted = "0.7"
+untrusted = "0.9"

 [dev-dependencies]
 linkerd-tracing = { path = "../tracing", features = ["ansi"] }