chore: Fix cargo audit warnings up to but excluding behaviour changes (#456)

* Fix libgit2-sys vuln by upgrading vergen

* Remove atty dependency (unmaintained)

* Update clap to version 4

* Remove rustls-pemfile dependency (unmaintained)

* Fix rustls issues

Restore rustls-native-certs and upgrade version
Switch to tokio_rustlrs pki_types

* Run cargo fmt

* Test single threading tests

* Fix use of rustls-native-certs

* Update packages to resolve vulnerabilities

Author: sjtrny

Cargo.lock

@@ -30,7 +30,6 @@ client = []
 native-tls = ["tokio-native-tls"]
 rustls = [
     "tokio-rustls",
-    "rustls-pemfile",
     "rustls-native-certs",
     "p12",
 ]
@@ -87,7 +86,7 @@ codegen-units = 1
 [dependencies]
 tokio = { version = "1", features = ["full"] }
 bytes = { version = "1", features = ["serde"] }
-clap = { version = "3.0", features = ["derive"] }
+clap = { version = "4.0", features = ["derive"] }
 toml = "0.5"
 serde = { version = "1.0", features = ["derive"] }
 anyhow = "1.0"
@@ -110,7 +109,6 @@ notify = { version = "5.0.0-pre.13", optional = true }
 console-subscriber = { version = "0.1", optional = true, features = [
     "parking_lot",
 ] }
-atty = "0.2"
 async-http-proxy = { version = "1.2", features = [
     "runtime-tokio",
     "basic-auth",
@@ -123,18 +121,15 @@ futures-core = { version = "0.3.28", optional = true }
 futures-sink = { version = "0.3.28", optional = true }
 tokio-native-tls = { version = "0.3", optional = true }
 tokio-rustls = { version = "0.25", optional = true }
-rustls-native-certs = { version = "0.7", optional = true }
-rustls-pemfile = { version = "2.0", optional = true }
+rustls-native-certs = { version = "0.8.3", optional = true }
 p12 = { version = "0.6.3", optional = true }
 
 [target.'cfg(target_env = "musl")'.dependencies]
 openssl = { version = "0.10", features = ["vendored"], optional = true }
 
 [build-dependencies]
-vergen = { version = "7.4.2", default-features = false, features = [
+vergen-gitcl = { version = "9.1.0", default-features = false, features = [
     "build",
-    "git",
-    "cargo",
+    "cargo"
 ] }
 anyhow = "1.0"
-

Cargo.toml

@@ -1,19 +1,40 @@
 use anyhow::Result;
-use vergen::{vergen, Config, SemverKind};
+use vergen_gitcl::{BuildBuilder, CargoBuilder, Emitter, GitclBuilder};
 
 fn main() -> Result<()> {
-    let mut config = Config::default();
-    // Change the SEMVER output to the lightweight variant
-    *config.git_mut().semver_kind_mut() = SemverKind::Lightweight;
-    // Add a `-dirty` flag to the SEMVER output
-    *config.git_mut().semver_dirty_mut() = Some("-dirty");
-    // Generate the instructions
-    if let Err(e) = vergen(config) {
-        eprintln!("error occurred while generating instructions: {:?}", e);
-        let mut config = Config::default();
-        *config.git_mut().enabled_mut() = false;
-        vergen(config)
-    } else {
-        Ok(())
+    // Manually define compile time env vars that were auto
+    // generated by earlier versions of vergen.
+    println!(
+        "cargo:rustc-env=VERGEN_BUILD_SEMVER={}",
+        env!("CARGO_PKG_VERSION")
+    );
+    println!(
+        "cargo:rustc-env=VERGEN_CARGO_PROFILE={}",
+        std::env::var("PROFILE").unwrap()
+    );
+
+    let build = BuildBuilder::all_build()?;
+    let cargo = CargoBuilder::all_cargo()?;
+
+    let mut emitter = Emitter::default();
+    emitter.add_instructions(&build)?;
+    emitter.add_instructions(&cargo)?;
+
+    match GitclBuilder::default()
+        .describe(true, true, None)
+        .sha(false)
+        .commit_timestamp(true)
+        .branch(true)
+        .build()
+    {
+        Ok(git) => {
+            emitter.add_instructions(&git)?;
+        }
+        Err(e) => {
+            println!("cargo:warning=vergen-gitcl failed, building without git info: {e}");
+        }
     }
+
+    emitter.emit()?;
+    Ok(())
 }

build.rs

@@ -1,15 +1,15 @@
-use clap::{AppSettings, ArgGroup, Parser};
+use clap::{ArgGroup, Parser, ValueEnum};
 use lazy_static::lazy_static;
 
-#[derive(clap::ArgEnum, Clone, Debug, Copy)]
+#[derive(ValueEnum, Clone, Debug, Copy)]
 pub enum KeypairType {
     X25519,
     X448,
 }
 
 lazy_static! {
     static ref VERSION: &'static str =
-        option_env!("VERGEN_GIT_SEMVER_LIGHTWEIGHT").unwrap_or(env!("VERGEN_BUILD_SEMVER"));
+        option_env!("VERGEN_GIT_DESCRIBE").unwrap_or(env!("VERGEN_BUILD_SEMVER"));
     static ref LONG_VERSION: String = format!(
         "
 Build Timestamp:     {}
@@ -33,36 +33,43 @@ cargo Features:      {}
 }
 
 #[derive(Parser, Debug, Default, Clone)]
-#[clap(
+#[command(
     about,
-    version(*VERSION),
-    long_version(LONG_VERSION.as_str()),
-    setting(AppSettings::DeriveDisplayOrder)
+    version = *VERSION,
+    long_version = LONG_VERSION.as_str(),
+    // AppSettings::DeriveDisplayOrder has no direct v4 enum replacement.
+    // clap v4 generally respects declaration order; keep or add explicit display_order if needed.
 )]
-#[clap(group(
-            ArgGroup::new("cmds")
-                .required(true)
-                .args(&["CONFIG", "genkey"]),
-        ))]
+#[command(group(
+    ArgGroup::new("cmds")
+        .required(true)
+        .args(&["CONFIG", "genkey"]),
+))]
 pub struct Cli {
     /// The path to the configuration file
     ///
     /// Running as a client or a server is automatically determined
     /// according to the configuration file.
-    #[clap(parse(from_os_str), name = "CONFIG")]
+    #[arg(value_name = "CONFIG")]
     pub config_path: Option<std::path::PathBuf>,
 
     /// Run as a server
-    #[clap(long, short, group = "mode")]
+    #[arg(long, short, group = "mode")]
     pub server: bool,
 
     /// Run as a client
-    #[clap(long, short, group = "mode")]
+    #[arg(long, short, group = "mode")]
     pub client: bool,
 
     /// Generate a keypair for the use of the noise protocol
     ///
     /// The DH function to use is x25519
-    #[clap(long, arg_enum, value_name = "CURVE")]
+    #[arg(
+        long,
+        value_enum,
+        value_name = "CURVE",
+        num_args = 0..=1,
+        default_missing_value = "x25519"
+    )]
     pub genkey: Option<Option<KeypairType>>,
 }

src/cli.rs

@@ -227,7 +227,8 @@ async fn run_data_channel<T: Transport>(args: Arc<RunDataChannelArgs<T>>) -> Res
             if args.service.service_type != ServiceType::Udp {
                 bail!("Expect UDP traffic. Please check the configuration.")
             }
-            run_data_channel_for_udp::<T>(conn, &args.service.local_addr, args.service.prefer_ipv6).await?;
+            run_data_channel_for_udp::<T>(conn, &args.service.local_addr, args.service.prefer_ipv6)
+                .await?;
         }
     }
     Ok(())
@@ -255,7 +256,11 @@ async fn run_data_channel_for_tcp<T: Transport>(
 type UdpPortMap = Arc<RwLock<HashMap<SocketAddr, mpsc::Sender<Bytes>>>>;
 
 #[instrument(skip(conn))]
-async fn run_data_channel_for_udp<T: Transport>(conn: T::Stream, local_addr: &str, prefer_ipv6: bool) -> Result<()> {
+async fn run_data_channel_for_udp<T: Transport>(
+    conn: T::Stream,
+    local_addr: &str,
+    prefer_ipv6: bool,
+) -> Result<()> {
     debug!("New data channel starts forwarding");
 
     let port_map: UdpPortMap = Arc::new(RwLock::new(HashMap::new()));

src/client.rs

@@ -65,7 +65,6 @@ pub fn host_port_pair(s: &str) -> Result<(&str, u16)> {
 
 /// Create a UDP socket and connect to `addr`
 pub async fn udp_connect<A: ToSocketAddrs>(addr: A, prefer_ipv6: bool) -> Result<UdpSocket> {
-
     let (socket_addr, bind_addr);
 
     match prefer_ipv6 {
@@ -76,7 +75,7 @@ pub async fn udp_connect<A: ToSocketAddrs>(addr: A, prefer_ipv6: bool) -> Result
                 SocketAddr::V4(_) => "0.0.0.0:0",
                 SocketAddr::V6(_) => ":::0",
             };
-        },
+        }
         true => {
             let all_host_addresses: Vec<SocketAddr> = lookup_host(addr).await?.collect();
 
@@ -85,7 +84,7 @@ pub async fn udp_connect<A: ToSocketAddrs>(addr: A, prefer_ipv6: bool) -> Result
                 Some(socket_addr_ipv6) => {
                     socket_addr = *socket_addr_ipv6;
                     bind_addr = ":::0";
-                },
+                }
                 None => {
                     let socket_addr_ipv4 = all_host_addresses.iter().find(|x| x.is_ipv4());
                     match socket_addr_ipv4 {
@@ -194,30 +193,42 @@ where
     Ok(())
 }
 
-pub fn generate_proxy_protocol_header(s: &TcpStream, proxy_protocol: &str) -> Result<Vec<u8>, anyhow::Error> {
+pub fn generate_proxy_protocol_header(
+    s: &TcpStream,
+    proxy_protocol: &str,
+) -> Result<Vec<u8>, anyhow::Error> {
     let local_addr = s.local_addr()?;
     let remote_addr = s.peer_addr()?;
 
     match proxy_protocol {
         "v1" => {
             let proto = if local_addr.is_ipv4() { "TCP4" } else { "TCP6" };
             let header = format!(
-                "PROXY {} {} {} {} {}\r\n", 
-                proto, 
-                remote_addr.ip(), 
-                local_addr.ip(), 
-                remote_addr.port(), 
+                "PROXY {} {} {} {} {}\r\n",
+                proto,
+                remote_addr.ip(),
+                local_addr.ip(),
+                remote_addr.port(),
                 local_addr.port()
             );
 
             Ok(header.into_bytes())
         }
         "v2" => {
-
-            let v2sig: &[u8] = &[0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A];
+            let v2sig: &[u8] = &[
+                0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A,
+            ];
             let ver_cmd = &[0x21]; // 0x21 version 2 and PROXY command
-            let proto = if local_addr.is_ipv4() { &[0x11] } else { &[0x21] }; // 0x11 for TCP IPv4 and 0x21 for TCP IPv6, TODO: support UNIX
-            let addrs_length: &[u8] = if local_addr.is_ipv4() { &[0, 12] } else { &[0, 36] }; // 12 for IPv4 and 36 for IPv6, TOOD: support UNIX
+            let proto = if local_addr.is_ipv4() {
+                &[0x11]
+            } else {
+                &[0x21]
+            }; // 0x11 for TCP IPv4 and 0x21 for TCP IPv6, TODO: support UNIX
+            let addrs_length: &[u8] = if local_addr.is_ipv4() {
+                &[0, 12]
+            } else {
+                &[0, 36]
+            }; // 12 for IPv4 and 36 for IPv6, TOOD: support UNIX
             let src_addr = match remote_addr {
                 SocketAddr::V4(v4) => v4.ip().octets().to_vec(),
                 SocketAddr::V6(v6) => v6.ip().octets().to_vec(),
@@ -226,28 +237,25 @@ pub fn generate_proxy_protocol_header(s: &TcpStream, proxy_protocol: &str) -> Re
                 SocketAddr::V4(v4) => v4.ip().octets().to_vec(),
                 SocketAddr::V6(v6) => v6.ip().octets().to_vec(),
             };
-    
-            let header:Vec<u8> = [
-                v2sig, 
-                ver_cmd, 
-                proto, 
+
+            let header: Vec<u8> = [
+                v2sig,
+                ver_cmd,
+                proto,
                 addrs_length,
                 &src_addr,
                 &dst_addr,
                 &remote_addr.port().to_be_bytes(),
-                &local_addr.port().to_be_bytes()
-                ].concat();
-    
+                &local_addr.port().to_be_bytes(),
+            ]
+            .concat();
+
             trace!("Proxy protocol v2 header: {:02x?}", header);
-    
-            Ok(header)
 
-        },
-        _ => {
-            Err(anyhow!("Unknown proxy protocol {}", proxy_protocol))
+            Ok(header)
         }
+        _ => Err(anyhow!("Unknown proxy protocol {}", proxy_protocol)),
     }
-
 }
 
 #[cfg(test)]

src/helper.rs

@@ -2,6 +2,10 @@ use anyhow::Result;
 use clap::Parser;
 use rathole::{run, Cli};
 use tokio::{signal, sync::broadcast};
+
+#[cfg(not(feature = "console"))]
+use std::io::{self, IsTerminal};
+
 #[cfg(not(feature = "console"))]
 use tracing_subscriber::EnvFilter;
 
@@ -31,14 +35,14 @@ async fn main() -> Result<()> {
     }
     #[cfg(not(feature = "console"))]
     {
-        let is_atty = atty::is(atty::Stream::Stdout);
+        let ansi = io::stdout().is_terminal();
 
         let level = "info"; // if RUST_LOG not present, use `info` level
         tracing_subscriber::fmt()
             .with_env_filter(
                 EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::from(level)),
             )
-            .with_ansi(is_atty)
+            .with_ansi(ansi)
             .init();
     }
 

src/main.rs

@@ -649,12 +649,13 @@ async fn run_tcp_connection_pool<T: Transport>(
                     let proxy_proto = proxy_protocol.clone();
                     tokio::spawn(async move {
                         if !proxy_proto.is_empty() {
-                            let proxy_proto_header = generate_proxy_protocol_header(&visitor, &proxy_proto);
+                            let proxy_proto_header =
+                                generate_proxy_protocol_header(&visitor, &proxy_proto);
                             match proxy_proto_header {
                                 Ok(header) => {
                                     let _ = ch.write_all(&header).await;
                                     let _ = ch.flush().await;
-                                },
+                                }
                                 Err(e) => {
                                     error!("Failed to generate proxy protocol header: {}", e);
                                 }