From 63b43bb2ede12ee72b70e1631ef7c53dee8bc4c7 Mon Sep 17 00:00:00 2001
From: Ericson Soares <ericson.ds999@gmail.com>
Date: Tue, 20 Aug 2024 23:05:57 -0300
Subject: [PATCH] Update deps and configure TLS with new stuff

---
 Cargo.lock                                    | Bin 306716 -> 307847 bytes
 core/crates/cloud-services/Cargo.toml         |  20 +++----
 .../crates/cloud-services/src/cloud_client.rs |  56 +++++++++++++-----
 3 files changed, 50 insertions(+), 26 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 6c68fb83c1d9bf374dc550fc7a358b9b69208658..36284387496cd07d78cd56b393d075af5955f9ee 100644
GIT binary patch
delta 1304
zcmaJ=ZD>|y80MVw%5=l#Hr+?&dRL&fde`&)5$M1uic;tL5TqYIpYhh**1LE1D^ZY)
zeuVjwcSK-6gA!~gry!xQ6cT6t&WgS$0%?MOLaZJ~4l3x^InVu^b6xj+U)S~a<?cg2
zb?-l!otuTmzHAU)X=W?o@NCvr{yv+{uWjA6VSLmpFA&qj3Z%8+K{G2P^C&XM1+z37
zK@GuJQDKlq)=}m#^NbKlu)}cRt-QCKJd(YT!+SsE<D)Eku92bIVCJI3LWO9USDN|2
z5!GHKSR4dN#D*D#B&7%|V~q{e(bfm^y|DXy-VTS~$R2@H=W`1qN3$xtdLe=H=n<zX
zModBs)C(L8_Q4zCrN%TeB9W5RaI8I}L1@jL2ud2vx#F~i>wkm)c{Cfo3BC?GujR{E
zO_*k!YV4`)4UKxNhX%YfpFet&w*!tt)(zJ#CUTDi)|P7~arB;QYMe5{Ats|>2uqBy
zcGxM)aFm{CBE8jEO5vTij>FZnd2eg~nH8<CcHIVZU*;QNY`$1mo_;gi(gxv1_QYl<
ze8kF;G?|rwaq6iP#&Ju7_8coB1oK2mr7#hxg9IOm$AJ)=_~F3qS>G}jW@Z(X?_>|c
ziI0lDLsyPv<&|UkhP&a$ooNUqomE^Ug=~^W1>-|f-3R71<BS{aLWly11Wu_$kq2yu
zik$FZ(+(HqhCfc{9dPzce!Ma>VJs{>Ui6j+Kg)mI2KSBS<C_pmt@;?9Mj9K2SU}Ms
zp@ZQrnJsXugmBdOm<9<kCf`xw5mST_4?Dik`=N7nF$9Cx@+#~e$cM^jRu`A@&gp;3
z1eZp$9#}Y-jg4w*y-D(?r%pcNHoedw0}ajx<YN*e5}Q`%5YfVF#FYpEA<kpum@Jy^
zwRelo*0(e5@by^H)BfCKy^2P#9zl>jP+1F~JXxtg|8&+1TOsSJHfCp<6En4cbrc#k
zGwB;sbr09Oiz*x($h%<QKwj;5G1%$n>$S$zRI~Nn+<F*WSyb-$KY&)(yxpuM7Cfe0
z@|Z%XqYc4`lvL(1vPm(of>a^7MkaSeOE5_RG16Kpl1EyfUhZEcDu?@u3v1R>>}kZ#
z@strw9O2Sa>(cgdaxqE3$rm!TUjMBRwr@)UkJgHfaOz0bT{dgQcpD5(XI=kEO8EsV
zMpw0^T@gHj%M}k53mxr~vwLc`{%n1+d2{+f`1#>VUwO}t;@4fbK7<`R^EKth_lxVx
zmP%$QZTGQ-d_}osu6U|vseb>*#ZdX-=f%$KR;lbfSMZnNVkKV=Q`;-U<=(B8tJ&hY
aOy`sN($&4?)8mz2HZA?Q`Ecc%b$<arWuF=V

delta 858
zcmX|9O=z7(6lK17X+l!%Gxg<JYaj_yOKs!a`5&PTib&Pk(u9_RAk5D<Zp2zKiVHO^
zBr9q4X|IT=0T&7i3Z(-PtctCrfgpBQio1Xd5d=X+K_?=e)tozU&OPVM^2YeP*T<L6
zk?$7q1K-&)cx0oG%g>UV@ysF_E`KhP^_}?IaXLT8WlBMs)`Dg^KvG(Got1=WK}4Rx
zD#?XsK0$O`Gq0o3)`91OvB(FICdyN9kW&q=zC-5c9Mje)r*v+EQAs2T$uOIe&vgQj
zQvendQ<;l4hZw+U#+Wdz1TY3)f37ou-SuV^&%8wr;!?lfPOmkG@ZPgz3cDxi{DG)L
zc3c{3nQFDEM4U<GcwN-#7NByatiV8JWDGn@GFg>f2tEgcutxiv3e&jnC3+LygJjDM
zneF)D4tg7g_2z+1!7=<2$vAeWn)$glMdLsP;RR%7+m?mMcs3%-q`|ACLJLxRU>4eJ
zvSFHY51_fpNdT_APyRP{>HFr<^26KY{$bp<l`bqVt&p;`(tI<6UmUIp)}?c8B4iV#
z*G@XdtEpri17)~WmTdwLHrdt%n_S{PCkH}VuYL7*iS%*bg__%M-!`A(od-#`tX^z3
z4&yIB*S@{;KDI{2pz9GTI;cDmc(s#+v|Q`jhWEA&%DJFo@JcJgoVO`wHaImjfe-fR
z^bpLlSy^7`(Lb89e<!`t+a+U70JMz4Xkgk{SHDuoLPnLCtPyc<g&VAV-NzS?G-G%K
z=x)4xS7$42Uw8)LVl!Dj0xE_(Fbll=ZRuRMnc0g^KTK~eCmy2L#&FQ1<7MF(9eE62
zKGF2b^PkbbhR{!wiE{cpeSACKGTH3F_r9Vdi1*QL*!`p#EwfkX0WvbPcXVpz$&*i<
z-PO4rFPx`$l+V}b@2}!NSIG!oUFhs7*N%36CI8`4@ww*4)7@qDc;~16<>NOyKTiG&
DrPK{I

diff --git a/core/crates/cloud-services/Cargo.toml b/core/crates/cloud-services/Cargo.toml
index d45a4604d..9773daec9 100644
--- a/core/crates/cloud-services/Cargo.toml
+++ b/core/crates/cloud-services/Cargo.toml
@@ -27,18 +27,14 @@ tracing             = { workspace = true }
 zeroize             = { workspace = true }
 
 # External dependencies
-iroh-base          = { version = "0.22.0", features = ["key"] }
-postcard           = { version = "1.0.8", features = ["use-std"] }
-quic-rpc           = { version = "0.11.0", features = ["quinn-transport"] }
-quinn              = { package = "iroh-quinn", version = "=0.10.5" }
-reqwest-middleware = { version = "0.3", features = ["json"] }
-reqwest-retry      = "0.6"
-
-[dependencies.rustls-old]
-default-features = false
-features         = ["dangerous_configuration", "logging", "quic"]
-package          = "rustls"
-version          = "0.21.12"                                      # Update blocked by quic-rpc
+iroh-base                = { version = "0.23.0", features = ["key"] }
+postcard                 = { version = "1.0.8", features = ["use-std"] }
+quic-rpc                 = { version = "0.12.0", features = ["quinn-transport"] }
+quinn                    = { package = "iroh-quinn", version = "=0.11.3" }
+reqwest-middleware       = { version = "0.3", features = ["json"] }
+reqwest-retry            = "0.6"
+rustls                   = { version = "0.23", default-features = false, features = ["ring"] }
+rustls-platform-verifier = "0.3.3"
 
 
 [dev-dependencies]
diff --git a/core/crates/cloud-services/src/cloud_client.rs b/core/crates/cloud-services/src/cloud_client.rs
index b9154f979..822e6d0c6 100644
--- a/core/crates/cloud-services/src/cloud_client.rs
+++ b/core/crates/cloud-services/src/cloud_client.rs
@@ -3,7 +3,7 @@ use sd_cloud_schema::{Client, Service};
 use std::{net::SocketAddr, sync::Arc, time::Duration};
 
 use quic_rpc::{transport::quinn::QuinnConnection, RpcClient};
-use quinn::{ClientConfig, Endpoint};
+use quinn::{crypto::rustls::QuicClientConfig, ClientConfig, Endpoint};
 use reqwest::{IntoUrl, Url};
 use reqwest_middleware::{reqwest, ClientBuilder, ClientWithMiddleware};
 use reqwest_retry::{policies::ExponentialBackoff, RetryTransientMiddleware};
@@ -114,36 +114,64 @@ impl CloudServices {
 		let crypto_config = {
 			#[cfg(debug_assertions)]
 			{
+				#[derive(Debug)]
 				struct SkipServerVerification;
-				impl rustls_old::client::ServerCertVerifier for SkipServerVerification {
+				impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
 					fn verify_server_cert(
 						&self,
-						_end_entity: &rustls_old::Certificate,
-						_intermediates: &[rustls_old::Certificate],
-						_server_name: &rustls_old::ServerName,
-						_scts: &mut dyn Iterator<Item = &[u8]>,
+						_end_entity: &rustls::pki_types::CertificateDer<'_>,
+						_intermediates: &[rustls::pki_types::CertificateDer<'_>],
+						_server_name: &rustls::pki_types::ServerName<'_>,
 						_ocsp_response: &[u8],
-						_now: std::time::SystemTime,
-					) -> Result<rustls_old::client::ServerCertVerified, rustls_old::Error> {
-						Ok(rustls_old::client::ServerCertVerified::assertion())
+						_now: rustls::pki_types::UnixTime,
+					) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+						Ok(rustls::client::danger::ServerCertVerified::assertion())
+					}
+
+					fn verify_tls12_signature(
+						&self,
+						_message: &[u8],
+						_cert: &rustls::pki_types::CertificateDer<'_>,
+						_dss: &rustls::DigitallySignedStruct,
+					) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+						Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+					}
+
+					fn verify_tls13_signature(
+						&self,
+						_message: &[u8],
+						_cert: &rustls::pki_types::CertificateDer<'_>,
+						_dss: &rustls::DigitallySignedStruct,
+					) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+						Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+					}
+
+					fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+						vec![]
 					}
 				}
 
-				rustls_old::ClientConfig::builder()
-					.with_safe_defaults()
+				rustls::ClientConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
+					.dangerous()
 					.with_custom_certificate_verifier(Arc::new(SkipServerVerification))
 					.with_no_client_auth()
 			}
 
 			#[cfg(not(debug_assertions))]
 			{
-				rustls_old::ClientConfig::builder()
-					.with_safe_defaults()
+				rustls::ClientConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
+					.dangerous()
+					.with_custom_certificate_verifier(Arc::new(
+						rustls_platform_verifier::Verifier::new(),
+					))
 					.with_no_client_auth()
 			}
 		};
 
-		let client_config = ClientConfig::new(Arc::new(crypto_config));
+		let client_config = ClientConfig::new(Arc::new(
+			QuicClientConfig::try_from(crypto_config)
+				.expect("misconfigured TLS client config, this is a bug and should crash"),
+		));
 
 		let mut endpoint = Endpoint::client("[::]:0".parse().expect("hardcoded address"))
 			.map_err(Error::FailedToCreateEndpoint)?;