Upgrade to hyper-rustls 0.27 and rustls 0.23

seanmonstar · May 12, 2024 · 0b8a99a · 0b8a99a
1 parent db25e80
commit 0b8a99a
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 73 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -41,9 +41,16 @@ native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"]
 native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"]
 
 rustls-tls = ["rustls-tls-webpki-roots"]
-rustls-tls-manual-roots = ["__rustls"]
-rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"]
-rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"]
+rustls-tls-manual-roots = ["rustls-base-ring"]
+rustls-tls-webpki-roots = ["dep:webpki-roots", "rustls-base-ring"]
+rustls-tls-native-roots = ["dep:rustls-native-certs", "rustls-base-ring"]
+rustls-tls-aws-lc-rs-manual-roots = ["rustls-base-aws-lc-rs"]
+rustls-tls-aws-lc-rs-webpki-roots = ["dep:webpki-roots", "rustls-base-aws-lc-rs"]
+rustls-tls-aws-lc-rs-native-roots = ["dep:rustls-native-certs", "rustls-base-aws-lc-rs"]
+
+rustls-base-ring = ["rustls-base", "rustls/ring"]
+rustls-base-aws-lc-rs = ["rustls-base", "rustls/aws_lc_rs"]
+rustls-base = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "rustls-pki-types"]
 
 blocking = ["futures-channel/sink", "futures-util/io", "futures-util/sink", "tokio/rt-multi-thread", "tokio/sync"]
 
@@ -82,10 +89,6 @@ macos-system-configuration = ["dep:system-configuration"]
 # Enables common types used for TLS. Useless on its own.
 __tls = ["dep:rustls-pemfile", "tokio/io-util"]
 
-# Enables common rustls code.
-# Equivalent to rustls-tls-manual-roots but shorter :)
-__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "rustls-pki-types"]
-
 # When enabled, disable using the cached SYS_PROXIES.
 __internal_proxy_sys_no_cache = []
 
@@ -132,10 +135,10 @@ native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls"
 tokio-native-tls = { version = "0.3.0", optional = true }
 
 # rustls-tls
-hyper-rustls = { version = "0.26.0", default-features = false, optional = true }
-rustls = { version = "0.22.2", optional = true }
-rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true }
-tokio-rustls = { version = "0.25", optional = true }
+hyper-rustls = { version = "0.27", default-features = false, optional = true, features = ["http1", "http2", "logging", "native-tokio", "ring", "tls12"] }
+rustls = { version = "0.23.4", default-features = false, features = ["logging", "std", "tls12"], optional = true }
+rustls-pki-types = { version = "1.1.0", features = ["alloc"], optional = true }
+tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "ring", "tls12"], optional = true }
 webpki-roots = { version = "0.26.0", optional = true }
 rustls-native-certs = { version = "0.7", optional = true }
 

diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs
@@ -1,4 +1,4 @@
-#[cfg(any(feature = "native-tls", feature = "__rustls",))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
 use std::any::Any;
 use std::net::IpAddr;
 use std::sync::Arc;
@@ -43,7 +43,7 @@ use crate::redirect::{self, remove_sensitive_headers};
 use crate::tls::{self, TlsBackend};
 #[cfg(feature = "__tls")]
 use crate::Certificate;
-#[cfg(any(feature = "native-tls", feature = "__rustls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
 use crate::Identity;
 use crate::{IntoUrl, Method, Proxy, StatusCode, Url};
 use log::debug;
@@ -102,7 +102,7 @@ struct Config {
     pool_idle_timeout: Option<Duration>,
     pool_max_idle_per_host: usize,
     tcp_keepalive: Option<Duration>,
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     identity: Option<Identity>,
     proxies: Vec<Proxy>,
     auto_sys_proxy: bool,
@@ -205,7 +205,7 @@ impl ClientBuilder {
                 root_certs: Vec::new(),
                 #[cfg(feature = "__tls")]
                 tls_built_in_root_certs: true,
-                #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+                #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
                 identity: None,
                 #[cfg(feature = "__tls")]
                 min_tls_version: None,
@@ -307,7 +307,7 @@ impl ClientBuilder {
             let mut http = HttpConnector::new_with_resolver(DynResolver::new(resolver.clone()));
             http.set_connect_timeout(config.connect_timeout);
 
-            #[cfg(all(feature = "http3", feature = "__rustls"))]
+            #[cfg(all(feature = "http3", feature = "rustls-base"))]
             let build_h3_connector =
                 |resolver,
                  tls,
@@ -399,7 +399,7 @@ impl ClientBuilder {
                             id.add_to_native_tls(&mut tls)?;
                         }
                     }
-                    #[cfg(all(feature = "__rustls", not(feature = "native-tls")))]
+                    #[cfg(all(feature = "rustls-base", not(feature = "native-tls")))]
                     {
                         // Default backend + rustls Identity doesn't work.
                         if let Some(_id) = config.identity {
@@ -456,7 +456,7 @@ impl ClientBuilder {
                     config.nodelay,
                     config.tls_info,
                 ),
-                #[cfg(feature = "__rustls")]
+                #[cfg(feature = "rustls-base")]
                 TlsBackend::BuiltRustls(conn) => {
                     #[cfg(feature = "http3")]
                     {
@@ -488,7 +488,7 @@ impl ClientBuilder {
                         config.tls_info,
                     )
                 }
-                #[cfg(feature = "__rustls")]
+                #[cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))]
                 TlsBackend::Rustls => {
                     use crate::tls::NoVerifier;
 
@@ -556,8 +556,19 @@ impl ClientBuilder {
                     }
 
                     // Build TLS config
+                    #[cfg(feature = "rustls-base-ring")]
+                    let provider = rustls::crypto::ring::default_provider();
+
+                    #[cfg(all(
+                        feature = "rustls-base-aws-lc-rs",
+                        not(feature = "rustls-base-ring")
+                    ))]
+                    let provider = rustls::crypto::aws_lc_rs::default_provider();
+
                     let config_builder =
-                        rustls::ClientConfig::builder_with_protocol_versions(&versions)
+                        rustls::ClientConfig::builder_with_provider(Arc::new(provider))
+                            .with_protocol_versions(&versions)
+                            .map_err(|_| crate::error::builder("invalid TLS versions"))?
                             .with_root_certificates(root_cert_store);
 
                     // Finalize TLS config
@@ -629,7 +640,7 @@ impl ClientBuilder {
                         config.tls_info,
                     )
                 }
-                #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+                #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
                 TlsBackend::UnknownPreconfigured => {
                     return Err(crate::error::builder(
                         "Unknown TLS backend passed to `use_preconfigured_tls`",
@@ -1357,7 +1368,7 @@ impl ClientBuilder {
     ///
     /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
     /// enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn identity(mut self, identity: Identity) -> ClientBuilder {
         self.config.identity = Some(identity);
@@ -1524,8 +1535,11 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires the optional `rustls-tls(-...)` feature to be enabled.
-    #[cfg(feature = "__rustls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
+    #[cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs")))
+    )]
     pub fn use_rustls_tls(mut self) -> ClientBuilder {
         self.config.tls = TlsBackend::Rustls;
         self
@@ -1549,7 +1563,7 @@ impl ClientBuilder {
     ///
     /// This requires one of the optional features `native-tls` or
     /// `rustls-tls(-...)` to be enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder {
         let mut tls = Some(tls);
@@ -1562,7 +1576,7 @@ impl ClientBuilder {
                 return self;
             }
         }
-        #[cfg(feature = "__rustls")]
+        #[cfg(feature = "rustls-base")]
         {
             if let Some(conn) =
                 (&mut tls as &mut dyn Any).downcast_mut::<Option<rustls::ClientConfig>>()
@@ -2154,7 +2168,7 @@ impl Config {
             f.field("tls_info", &self.tls_info);
         }
 
-        #[cfg(all(feature = "default-tls", feature = "__rustls"))]
+        #[cfg(all(feature = "default-tls", feature = "rustls-base"))]
         {
             f.field("tls_backend", &self.tls);
         }

diff --git a/src/blocking/client.rs b/src/blocking/client.rs
@@ -1,4 +1,4 @@
-#[cfg(any(feature = "native-tls", feature = "__rustls",))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base",))]
 use std::any::Any;
 use std::convert::TryInto;
 use std::fmt;
@@ -20,7 +20,7 @@ use super::wait;
 use crate::tls;
 #[cfg(feature = "__tls")]
 use crate::Certificate;
-#[cfg(any(feature = "native-tls", feature = "__rustls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls-base"))]
 use crate::Identity;
 use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy};
 
@@ -621,7 +621,7 @@ impl ClientBuilder {
     ///
     /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be
     /// enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base"))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn identity(self, identity: Identity) -> ClientBuilder {
         self.with_inner(move |inner| inner.identity(identity))
@@ -765,7 +765,7 @@ impl ClientBuilder {
     /// # Optional
     ///
     /// This requires the optional `rustls-tls(-...)` feature to be enabled.
-    #[cfg(feature = "__rustls")]
+    #[cfg(feature = "rustls-base")]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
     pub fn use_rustls_tls(self) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_rustls_tls())
@@ -808,7 +808,7 @@ impl ClientBuilder {
     ///
     /// This requires one of the optional features `native-tls` or
     /// `rustls-tls(-...)` to be enabled.
-    #[cfg(any(feature = "native-tls", feature = "__rustls",))]
+    #[cfg(any(feature = "native-tls", feature = "rustls-base",))]
     #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))]
     pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder {
         self.with_inner(move |inner| inner.use_preconfigured_tls(tls))

diff --git a/src/connect.rs b/src/connect.rs
@@ -21,7 +21,7 @@ use std::time::Duration;
 
 #[cfg(feature = "default-tls")]
 use self::native_tls_conn::NativeTlsConn;
-#[cfg(feature = "__rustls")]
+#[cfg(feature = "rustls-base")]
 use self::rustls_tls_conn::RustlsTlsConn;
 use crate::dns::DynResolver;
 use crate::error::BoxError;
@@ -49,7 +49,7 @@ enum Inner {
     Http(HttpConnector),
     #[cfg(feature = "default-tls")]
     DefaultTls(HttpConnector, TlsConnector),
-    #[cfg(feature = "__rustls")]
+    #[cfg(feature = "rustls-base")]
     RustlsTls {
         http: HttpConnector,
         tls: Arc<rustls::ClientConfig>,
@@ -148,7 +148,7 @@ impl Connector {
         }
     }
 
-    #[cfg(feature = "__rustls")]
+    #[cfg(feature = "rustls-base")]
     pub(crate) fn new_rustls_tls<T>(
         mut http: HttpConnector,
         tls: rustls::ClientConfig,
@@ -235,7 +235,7 @@ impl Connector {
                     });
                 }
             }
-            #[cfg(feature = "__rustls")]
+            #[cfg(feature = "rustls-base")]
             Inner::RustlsTls { tls, .. } => {
                 if dst.scheme() == Some(&Scheme::HTTPS) {
                     use std::convert::TryFrom;
@@ -321,7 +321,7 @@ impl Connector {
                     })
                 }
             }
-            #[cfg(feature = "__rustls")]
+            #[cfg(feature = "rustls-base")]
             Inner::RustlsTls { http, tls, .. } => {
                 let mut http = http.clone();
 
@@ -405,7 +405,7 @@ impl Connector {
                     });
                 }
             }
-            #[cfg(feature = "__rustls")]
+            #[cfg(feature = "rustls-base")]
             Inner::RustlsTls {
                 http,
                 tls,
@@ -451,7 +451,7 @@ impl Connector {
         match &mut self.inner {
             #[cfg(feature = "default-tls")]
             Inner::DefaultTls(http, _tls) => http.set_keepalive(dur),
-            #[cfg(feature = "__rustls")]
+            #[cfg(feature = "rustls-base")]
             Inner::RustlsTls { http, .. } => http.set_keepalive(dur),
             #[cfg(not(feature = "__tls"))]
             Inner::Http(http) => http.set_keepalive(dur),
@@ -571,7 +571,7 @@ impl TlsInfoFactory for hyper_tls::MaybeHttpsStream<TokioIo<tokio::net::TcpStrea
     }
 }
 
-#[cfg(feature = "__rustls")]
+#[cfg(feature = "rustls-base")]
 impl TlsInfoFactory for tokio_rustls::client::TlsStream<TokioIo<TokioIo<tokio::net::TcpStream>>> {
     fn tls_info(&self) -> Option<crate::tls::TlsInfo> {
         let peer_certificate = self
@@ -584,7 +584,7 @@ impl TlsInfoFactory for tokio_rustls::client::TlsStream<TokioIo<TokioIo<tokio::n
     }
 }
 
-#[cfg(feature = "__rustls")]
+#[cfg(feature = "rustls-base")]
 impl TlsInfoFactory
     for tokio_rustls::client::TlsStream<
         TokioIo<hyper_rustls::MaybeHttpsStream<TokioIo<tokio::net::TcpStream>>>,
@@ -601,7 +601,7 @@ impl TlsInfoFactory
     }
 }
 
-#[cfg(feature = "__rustls")]
+#[cfg(feature = "rustls-base")]
 impl TlsInfoFactory for hyper_rustls::MaybeHttpsStream<TokioIo<tokio::net::TcpStream>> {
     fn tls_info(&self) -> Option<crate::tls::TlsInfo> {
         match self {
@@ -910,7 +910,7 @@ mod native_tls_conn {
     }
 }
 
-#[cfg(feature = "__rustls")]
+#[cfg(feature = "rustls-base")]
 mod rustls_tls_conn {
     use super::TlsInfoFactory;
     use hyper::rt::{Read, ReadBufCursor, Write};