fix(deps): Replace openssl with rustls in tests and experimental features (#7047)

* Remove openssl dependency and prevent it coming back

* Put the arguments in the right place

* Put comment in the right place

* Add a default-docker feature to zebrad and use it in workflows and Docker files

* Fix a comment typo

* Make sure that Docker production builds don't use openssl

* Rename feature to default-release-binaries

.github/workflows/build-docker-image.yml

@@ -38,7 +38,7 @@ on:
       # https://github.com/ZcashFoundation/zebra/blob/main/docker/Dockerfile#L83
       features:
         required: false
-        default: "sentry"
+        default: "default-release-binaries"
         type: string
       test_features:
         required: false

.github/workflows/continous-integration-os.yml

@@ -261,8 +261,8 @@ jobs:
         # We don't need to check `--no-default-features` here, because (except in very rare cases):
         # - disabling features isn't going to add duplicate dependencies
         # - disabling features isn't going to add more crate sources
-        features: ['', '--all-features']
+        features: ['', '--features default-release-binaries', '--all-features']
-      # We always want to run the --all-features job, because it gives accurate "skip tree root was not found" warnings
+      # Always run the --all-features job, to get accurate "skip tree root was not found" warnings
       fail-fast: false
 
     # Prevent sudden announcement of a new advisory from failing ci:
@@ -274,12 +274,14 @@ jobs:
           persist-credentials: false
       - uses: r7kamura/rust-problem-matchers@v1.3.0
 
-      # The --all-features job is the only job that gives accurate "skip tree root was not found" warnings.
-      # In other jobs, we expect some of these warnings, due to disabled features.
       - name: Check ${{ matrix.checks }} with features ${{ matrix.features }}
         uses: EmbarkStudios/cargo-deny-action@v1
         with:
-          command: check ${{ matrix.checks }}
+          # --all-features spuriously activates openssl, but we want to ban that dependency in
+          # all of zebrad's production features for security reasons. But the --all-features job is
+          # the only job that gives accurate "skip tree root was not found" warnings.
+          # In other jobs, we expect some of these warnings, due to disabled features.
+          command: check ${{ matrix.checks }} ${{ matrix.features == '--all-features' && '--allow banned' || '--allow unmatched-skip-root' }}
           arguments: --workspace ${{ matrix.features }}
 
   unused-deps:

.github/workflows/release-binaries.yml

@@ -44,7 +44,7 @@ jobs:
       tag_suffix: .experimental
       network: Testnet
       rpc_port: '18232'
-      features: "sentry getblocktemplate-rpcs"
+      features: "default-release-binaries getblocktemplate-rpcs"
       test_features: ""
       rust_backtrace: '1'
       zebra_skip_ipv6_tests: '1'

deny.toml

@@ -10,6 +10,13 @@
 [bans]
 # Lint level for when multiple versions of the same crate are detected
 multiple-versions = "deny"
+
+# Don't allow wildcard ("any version") dependencies
+wildcards = "deny"
+# Allow private and dev wildcard dependencies.
+# Switch this to `false` when #6924 is implemented.
+allow-wildcard-paths = true
+
 # The graph highlighting used when creating dotgraphs for crates
 # with multiple versions
 # * lowest-version - The path to the lowest versioned duplicate is highlighted
@@ -17,12 +24,18 @@ multiple-versions = "deny"
 # * all - Both lowest-version and simplest-path are used
 highlight = "all"
 
-# We don't use this for Zebra.
-#
 # List of crates that are allowed. Use with care!
 #allow = [
 #]
 
+# List of crates that can never become Zebra dependencies.
+deny = [
+    # Often has memory safety vulnerabilities.
+    # Enabled by --all-features, use the `cargo hack` script in the deny.toml CI job instead.
+    { name = "openssl" },
+    { name = "openssl-sys" },
+]
+
 # We only use this for some `librustzcash` and `orchard` crates.
 # If we add a crate here, duplicate dependencies of that crate are still shown.
 #
@@ -47,6 +60,9 @@ skip-tree = [
     # wait for criterion to upgrade
     { name = "itertools", version = "=0.10.5" },
 
+    # wait for backtrace and multiple dependents to upgrade
+    { name = "miniz_oxide", version = "=0.6.2" },
+
     # ZF crates
 
     # wait for zcashd and zcash_script to upgrade
@@ -71,6 +87,9 @@ skip-tree = [
     # wait for zcash_address to upgrade
     { name = "bs58", version = "=0.4.0" },
 
+    # wait for minreq and zcash_proofs to upgrade
+    { name = "rustls", version = "=0.20.8" },
+
     # zebra-utils dependencies
 
     # wait for structopt upgrade (or upgrade to clap 4)

docker/Dockerfile

@@ -81,7 +81,7 @@ ENV ZEBRA_SKIP_IPV6_TESTS ${ZEBRA_SKIP_IPV6_TESTS:-1}
 # Build zebrad with these features
 # Keep these in sync with:
 # https://github.com/ZcashFoundation/zebra/blob/main/.github/workflows/build-docker-image.yml#L42
-ARG FEATURES="sentry"
+ARG FEATURES="default-release-binaries"
 ARG TEST_FEATURES="lightwalletd-grpc-tests zebra-checkpoints"
 # Use ENTRYPOINT_FEATURES to override the specific features used to run tests in entrypoint.sh,
 # separately from the test and production image builds.

docker/zcash-params/Dockerfile

@@ -23,7 +23,7 @@ RUN apt-get -qq update && \
 
 ENV CARGO_HOME /opt/zebrad/.cargo/
 # Build dependencies - this is the caching Docker layer!
-RUN cargo chef cook --release --features sentry --package zebrad --recipe-path recipe.json
+RUN cargo chef cook --release --features default-release-binaries --package zebrad --recipe-path recipe.json
 
 ARG RUST_BACKTRACE=0
 ENV RUST_BACKTRACE ${RUST_BACKTRACE}
@@ -36,4 +36,4 @@ ENV COLORBT_SHOW_HIDDEN ${COLORBT_SHOW_HIDDEN}
 
 COPY . .
 # Pre-download Zcash Sprout and Sapling parameters
-RUN cargo run --locked --release --features sentry --package zebrad --bin zebrad download
+RUN cargo run --locked --release --features default-release-binaries --package zebrad --bin zebrad download

zebra-node-services/Cargo.toml

@@ -42,7 +42,8 @@ zebra-chain = { path = "../zebra-chain" , version = "1.0.0-beta.26"}
 # Tool and test feature rpc-client
 color-eyre = { version = "0.6.2", optional = true }
 jsonrpc-core = { version = "18.0.0", optional = true }
-reqwest = { version = "0.11.18", optional = true }
+# Security: avoid default dependency on openssl
+reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls"], optional = true }
 serde = { version = "1.0.164", optional = true }
 serde_json = { version = "1.0.97", optional = true }
 
@@ -50,6 +51,6 @@ serde_json = { version = "1.0.97", optional = true }
 
 color-eyre = "0.6.2"
 jsonrpc-core = "18.0.0"
-reqwest = "0.11.18"
+reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls"] }
 serde = "1.0.164"
 serde_json = "1.0.97"

zebra-state/Cargo.toml

@@ -67,7 +67,8 @@ tower = { version = "0.4.13", features = ["buffer", "util"] }
 tracing = "0.1.37"
 
 # elasticsearch specific dependencies.
-elasticsearch = { version = "8.5.0-alpha.1", package = "elasticsearch", optional = true }
+# Security: avoid default dependency on openssl
+elasticsearch = { version = "8.5.0-alpha.1", default-features = false, features = ["rustls-tls"], optional = true }
 serde_json = { version = "1.0.97", package = "serde_json", optional = true }
 
 zebra-chain = { path = "../zebra-chain", version = "1.0.0-beta.26" }

zebrad/Cargo.toml

@@ -39,6 +39,9 @@ pre-release-replacements = [
 # In release builds, don't compile debug logging code, to improve performance.
 default = ["release_max_level_info"]
 
+# Default features for official ZF binary release builds
+default-release-binaries = ["default", "sentry"]
+
 # Production features that activate extra dependencies, or extra features in dependencies
 
 # Experimental mining RPC support