ngrok · jrobsonchase · Feb 13, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
diff --git a/cargo-doc-ngrok/src/main.rs b/cargo-doc-ngrok/src/main.rs
@@ -126,10 +126,7 @@ fn make_watcher(
     runtime.pathset([root_dir]);
     runtime.command(Command::Exec {
         prog: "cargo".into(),
-        args: [String::from("doc")]
-            .into_iter()
-            .chain(args.into_iter())
-            .collect(),
+        args: [String::from("doc")].into_iter().chain(args).collect(),
     });
     runtime.on_action({
         move |action: Action| {

diff --git a/flake.lock b/flake.lock
diff --git a/muxado/examples/server.rs b/muxado/examples/server.rs
@@ -57,7 +57,7 @@ async fn main() -> Result<(), anyhow::Error> {
     loop {
         let (conn, _addr) = l.accept().await?;
 
-        let res = (|| async move {
+        let res = async move {
             let mut sess = SessionBuilder::new(conn).start();
             let sess = &mut sess;
 
@@ -101,7 +101,7 @@ async fn main() -> Result<(), anyhow::Error> {
                 );
             }
             Result::<(), anyhow::Error>::Ok(())
-        })()
+        }
         .await;
 
         if let Err(err) = res {

diff --git a/muxado/src/session.rs b/muxado/src/session.rs
@@ -399,7 +399,7 @@ pub struct MuxadoOpen {
 }
 
 /// The [Accept] half of a muxado session.
-pub struct MuxadoAccept(awaitdrop::Ref, mpsc::Receiver<Stream>);
+pub struct MuxadoAccept(#[allow(dead_code)] awaitdrop::Ref, mpsc::Receiver<Stream>);
 
 #[async_trait]
 impl Accept for MuxadoAccept {

diff --git a/muxado/src/stream.rs b/muxado/src/stream.rs
@@ -325,6 +325,12 @@ impl AsyncWrite for Stream {
     }
 }
 
+#[pin_project::pinned_drop]
+impl PinnedDrop for Stream {
+    #[instrument(level = "trace", skip_all)]
+    fn drop(self: Pin<&mut Self>) {}
+}
+
 #[cfg(test)]
 pub mod test {
     use std::time::Duration;
@@ -394,9 +400,3 @@ pub mod test {
         assert!(rx.try_next().unwrap().unwrap().is_fin());
     }
 }
-
-#[pin_project::pinned_drop]
-impl PinnedDrop for Stream {
-    #[instrument(level = "trace", skip_all)]
-    fn drop(self: Pin<&mut Self>) {}
-}
diff --git a/ngrok/Cargo.toml b/ngrok/Cargo.toml
@@ -11,15 +11,21 @@ muxado = { path = "../muxado", version = "0.4" }
 serde = { version = "1.0.149", features = ["derive"] }
 serde_json = "1.0.89"
 thiserror = "1.0.37"
-base64 = "0.13.1"
-tokio = { version = "1.23.0", features = ["io-util", "net", "sync", "time", "rt"] }
+base64 = "0.21.7"
+tokio = { version = "1.23.0", features = [
+	"io-util",
+	"net",
+	"sync",
+	"time",
+	"rt",
+] }
 tracing = "0.1.37"
-async-rustls = { version = "0.3.0" }
+futures-rustls = { version = "0.25.1" }
 tokio-util = { version = "0.7.4", features = ["compat"] }
 futures = "0.3.25"
 hyper = { version = "0.14.23" }
 axum = { version = "0.6.1", features = ["tokio"], optional = true }
-rustls-pemfile = "1.0.1"
+rustls-pemfile = "2.0.0"
 async-trait = "0.1.59"
 bytes = "1.3.0"
 arc-swap = "1.5.1"
@@ -30,9 +36,11 @@ once_cell = "1.17.1"
 hostname = "0.3.1"
 regex = "1.7.3"
 tokio-socks = "0.5.1"
-hyper-proxy = { version = "0.9.1", default-features = false, features = ["rustls"] }
+hyper-proxy = { version = "0.9.1", default-features = false, features = [
+	"rustls",
+] }
 url = "2.4.0"
-rustls-native-certs = "0.6.3"
+rustls-native-certs = "0.7.0"
 proxy-protocol = "0.5.0"
 pin-project = "1.1.3"
 
@@ -48,7 +56,10 @@ flate2 = "1.0.25"
 tracing-test = "0.2.3"
 rand = "0.8.5"
 paste = "1.0.11"
-tokio-tungstenite = { version = "0.18.0", features = ["rustls", "rustls-tls-webpki-roots"] }
+tokio-tungstenite = { version = "0.18.0", features = [
+	"rustls",
+	"rustls-tls-webpki-roots",
+] }
 
 [[example]]
 name = "tls"

diff --git a/ngrok/src/internals/proto.rs b/ngrok/src/internals/proto.rs
@@ -844,6 +844,7 @@ pub struct LabelEndpoint {
 // These are helpers to facilitate the Vec<u8> <-> base64-encoded bytes
 // representation that the Go messages use
 mod base64bytes {
+    use base64::prelude::*;
     use serde::{
         Deserialize,
         Deserializer,
@@ -852,12 +853,14 @@ mod base64bytes {
     };
 
     pub fn serialize<S: Serializer>(v: &Vec<u8>, s: S) -> Result<S::Ok, S::Error> {
-        base64::encode(v).serialize(s)
+        BASE64_STANDARD.encode(v).serialize(s)
     }
 
     pub fn deserialize<'de, D: Deserializer<'de>>(d: D) -> Result<Vec<u8>, D::Error> {
         let s = String::deserialize(d)?;
-        base64::decode(s.as_bytes()).map_err(serde::de::Error::custom)
+        BASE64_STANDARD
+            .decode(s.as_bytes())
+            .map_err(serde::de::Error::custom)
     }
 }
 

diff --git a/ngrok/src/online_tests.rs b/ngrok/src/online_tests.rs
@@ -17,13 +17,6 @@ use anyhow::{
     anyhow,
     Error,
 };
-use async_rustls::{
-    rustls,
-    rustls::{
-        ClientConfig,
-        RootCertStore,
-    },
-};
 use axum::{
     extract::connect_info::Connected,
     routing::get,
@@ -36,6 +29,11 @@ use futures::{
     prelude::*,
     stream::FuturesUnordered,
 };
+use futures_rustls::rustls::{
+    pki_types,
+    ClientConfig,
+    RootCertStore,
+};
 use hyper::{
     header,
     HeaderMap,
@@ -705,13 +703,10 @@ fn tls_client_config() -> Result<Arc<ClientConfig>, &'static io::Error> {
     static CONFIG: Lazy<Result<Arc<ClientConfig>, io::Error>> = Lazy::new(|| {
         let der_certs = rustls_native_certs::load_native_certs()?
             .into_iter()
-            .map(|c| c.0)
             .collect::<Vec<_>>();
-        let der_certs = der_certs.as_slice();
         let mut root_store = RootCertStore::empty();
         root_store.add_parsable_certificates(der_certs);
         let config = ClientConfig::builder()
-            .with_safe_defaults()
             .with_root_certificates(root_store)
             .with_no_client_auth();
         Ok(Arc::new(config))
@@ -746,10 +741,11 @@ async fn forward_proxy_protocol_tls() -> Result<(), Error> {
         ))
         .await?;
 
-        let domain = rustls::ServerName::try_from(tunnel_url.host_str().unwrap())
-            .map_err(|e| io::Error::new(io::ErrorKind::InvalidInput, e))?;
+        let domain = pki_types::ServerName::try_from(tunnel_url.host_str().unwrap())
+            .map_err(|e| io::Error::new(io::ErrorKind::InvalidInput, e))?
+            .to_owned();
 
-        let mut tls_conn = async_rustls::TlsConnector::from(
+        let mut tls_conn = futures_rustls::TlsConnector::from(
             tls_client_config().map_err(|e| io::Error::from(e.kind()))?,
         )
         .connect(domain, tunnel_conn.compat())
@@ -762,12 +758,7 @@ async fn forward_proxy_protocol_tls() -> Result<(), Error> {
     let (conn, _) = listener.accept().await?;
 
     let mut proxy_conn = crate::proxy_proto::Stream::incoming(conn);
-    let proxy_header = proxy_conn
-        .proxy_header()
-        .await?
-        .unwrap()
-        .map(Clone::clone)
-        .unwrap();
+    let proxy_header = proxy_conn.proxy_header().await?.unwrap().cloned().unwrap();
 
     match proxy_header {
         ProxyHeader::Version2 { .. } => {}

diff --git a/ngrok/src/session.rs b/ngrok/src/session.rs
@@ -17,14 +17,17 @@ use std::{
 };
 
 use arc_swap::ArcSwap;
-use async_rustls::rustls::{self,};
 use async_trait::async_trait;
 use bytes::Bytes;
 use futures::{
     future,
     prelude::*,
     FutureExt,
 };
+use futures_rustls::rustls::{
+    self,
+    pki_types,
+};
 use hyper::{
     client::HttpConnector,
     service::Service,
@@ -222,10 +225,10 @@ pub async fn default_connect(
         .map_err(ConnectError::Tcp)?
         .compat();
 
-    let domain = rustls::ServerName::try_from(host.as_str())
+    let domain = pki_types::ServerName::try_from(host)
         .expect("host should have been validated by SessionBuilder::server_addr");
 
-    let tls_conn = async_rustls::TlsConnector::from(tls_config)
+    let tls_conn = futures_rustls::TlsConnector::from(tls_config)
         .connect(domain, stream)
         .await
         .map_err(ConnectError::Tls)?;
@@ -271,9 +274,9 @@ fn connect_http_proxy(url: Url) -> impl Connector {
                 .map_err(|e| ConnectError::ProxyConnect(Box::new(e)))?
                 .compat();
 
-            let tls_conn = async_rustls::TlsConnector::from(tls_config)
+            let tls_conn = futures_rustls::TlsConnector::from(tls_config)
                 .connect(
-                    rustls::ServerName::try_from(host.as_str())
+                    pki_types::ServerName::try_from(host)
                         .expect("host should have been validated by SessionBuilder::server_addr"),
                     conn,
                 )
@@ -297,9 +300,9 @@ fn connect_socks_proxy(proxy_addr: String) -> impl Connector {
             .map_err(|e| ConnectError::ProxyConnect(Box::new(e)))?
             .compat();
 
-            let tls_conn = async_rustls::TlsConnector::from(tls_config)
+            let tls_conn = futures_rustls::TlsConnector::from(tls_config)
                 .connect(
-                    rustls::ServerName::try_from(server_host.as_str())
+                    pki_types::ServerName::try_from(server_host)
                         .expect("host should have been validated by SessionBuilder::server_addr"),
                     conn,
                 )
@@ -520,7 +523,7 @@ impl SessionBuilder {
             .map(String::from)
             .ok_or_else(|| InvalidServerAddr(addr.clone()))?;
 
-        rustls::ServerName::try_from(self.server_host.as_str())
+        pki_types::ServerName::try_from(self.server_host.as_str())
             .map_err(|_| InvalidServerAddr(addr.clone()))?;
 
         self.server_port = server_uri.port().unwrap_or(443);
@@ -689,20 +692,22 @@ impl SessionBuilder {
         // generate a default TLS config
         let mut root_store = rustls::RootCertStore::empty();
         let cert_pem = self.ca_cert.as_ref().map_or(CERT_BYTES, |it| it.as_ref());
-        root_store.add_parsable_certificates(
-            rustls_pemfile::read_all(&mut io::Cursor::new(cert_pem))
-                .expect("a valid ngrok root certificate")
-                .into_iter()
-                .filter_map(|it| match it {
-                    Item::X509Certificate(bs) => Some(bs),
-                    _ => None,
-                })
-                .collect::<Vec<_>>()
-                .as_slice(),
-        );
+        let certs = rustls_pemfile::read_all(&mut io::Cursor::new(cert_pem))
+            .filter_map(|it| match it {
+                Ok(Item::X509Certificate(bs)) => Some(bs),
+                Err(e) => {
+                    warn!(error = ?e, "skipping certificate which failed to parse");
+                    None
+                }
+                Ok(_) => {
+                    warn!("skipping non-x509 certificate");
+                    None
+                }
+            })
+            .collect::<Vec<_>>();
+        root_store.add_parsable_certificates(certs);
 
         rustls::ClientConfig::builder()
-            .with_safe_defaults()
             .with_root_certificates(root_store)
             .with_no_client_auth()
     }