From 64f60d8d3347194e19ac9f79c01edb5429f8f24d Mon Sep 17 00:00:00 2001
From: Dominik Nakamura <dnaka91@gmail.com>
Date: Sat, 6 Nov 2021 18:45:26 +0200
Subject: [PATCH] Upgrade to rustls 0.20 / tungstenite 0.16
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on tokio-tungstenite PR:
  https://github.com/snapview/tokio-tungstenite/pull/198

Co-authored-by: Sebastian Dröge <sebastian@centricular.com>
---
 Cargo.toml          | 10 +++++-----
 src/tokio/rustls.rs | 44 +++++++++++++++++++++++++++++++++-----------
 2 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index aa92e0c..0e1d8ab 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ license = "MIT"
 homepage = "https://github.com/sdroege/async-tungstenite"
 repository = "https://github.com/sdroege/async-tungstenite"
 documentation = "https://docs.rs/async-tungstenite"
-version = "0.15.0"
+version = "0.16.0"
 edition = "2018"
 readme = "README.md"
 include = ["examples/**/*", "src/**/*", "LICENSE", "README.md", "CHANGELOG.md"]
@@ -36,7 +36,7 @@ futures-io = { version = "0.3", default-features = false, features = ["std"] }
 pin-project-lite = "0.2"
 
 [dependencies.tungstenite]
-version = "0.15.0"
+version = "0.16.0"
 default-features = false
 
 [dependencies.async-std]
@@ -79,16 +79,16 @@ package = "tokio-native-tls"
 
 [dependencies.real-tokio-rustls]
 optional = true
-version = "^0.22"
+version = "0.23"
 package = "tokio-rustls"
 
 [dependencies.rustls-native-certs]
 optional = true
-version = "0.5"
+version = "0.6"
 
 [dependencies.webpki-roots]
 optional = true
-version = "0.21"
+version = "0.22"
 
 [dependencies.gio]
 optional = true
diff --git a/src/tokio/rustls.rs b/src/tokio/rustls.rs
index c07337e..ff62de3 100644
--- a/src/tokio/rustls.rs
+++ b/src/tokio/rustls.rs
@@ -1,12 +1,14 @@
-use real_tokio_rustls::rustls::ClientConfig;
-use real_tokio_rustls::webpki::DNSNameRef;
+use real_tokio_rustls::rustls::{ClientConfig, RootCertStore, ServerName};
 use real_tokio_rustls::{client::TlsStream, TlsConnector};
 
 use tungstenite::client::{uri_mode, IntoClientRequest};
+use tungstenite::error::TlsError;
 use tungstenite::handshake::client::Request;
 use tungstenite::stream::Mode;
 use tungstenite::Error;
 
+use std::convert::TryFrom;
+
 use crate::stream::Stream as StreamSwitcher;
 use crate::{client_async_with_config, domain, Response, WebSocketConfig, WebSocketStream};
 
@@ -35,23 +37,43 @@ where
                 let connector = if let Some(connector) = connector {
                     connector
                 } else {
-                    let mut config = ClientConfig::new();
+                    let mut root_store = RootCertStore::empty();
                     #[cfg(feature = "tokio-rustls-native-certs")]
                     {
-                        config.root_store =
-                            rustls_native_certs::load_native_certs().map_err(|(_, err)| err)?;
+                        use real_tokio_rustls::rustls::Certificate;
+
+                        for cert in rustls_native_certs::load_native_certs()? {
+                            root_store
+                                .add(&Certificate(cert.0))
+                                .map_err(TlsError::Webpki)?;
+                        }
                     }
                     #[cfg(all(
                         feature = "tokio-rustls-webpki-roots",
                         not(feature = "tokio-rustls-native-certs")
                     ))]
-                    config
-                        .root_store
-                        .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
-                    TlsConnector::from(std::sync::Arc::new(config))
+                    {
+                        use real_tokio_rustls::rustls::OwnedTrustAnchor;
+
+                        root_store.add_server_trust_anchors(
+                            webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+                                OwnedTrustAnchor::from_subject_spki_name_constraints(
+                                    ta.subject,
+                                    ta.spki,
+                                    ta.name_constraints,
+                                )
+                            }),
+                        );
+                    }
+                    TlsConnector::from(std::sync::Arc::new(
+                        ClientConfig::builder()
+                            .with_safe_defaults()
+                            .with_root_certificates(root_store)
+                            .with_no_client_auth(),
+                    ))
                 };
-                let domain = DNSNameRef::try_from_ascii_str(&domain)
-                    .map_err(|err| Error::Tls(err.into()))?;
+                let domain = ServerName::try_from(domain.as_str())
+                    .map_err(|_| Error::Tls(TlsError::InvalidDnsName))?;
                 connector.connect(domain, socket).await?
             };
             Ok(StreamSwitcher::Tls(TokioAdapter::new(stream)))