diff --git a/Cargo.toml b/Cargo.toml index cdb3fabc7..ab42d9fda 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -41,9 +41,16 @@ native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"] native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"] rustls-tls = ["rustls-tls-webpki-roots"] -rustls-tls-manual-roots = ["__rustls"] -rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"] -rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"] +rustls-tls-manual-roots = ["rustls-base-ring"] +rustls-tls-webpki-roots = ["dep:webpki-roots", "rustls-base-ring"] +rustls-tls-native-roots = ["dep:rustls-native-certs", "rustls-base-ring"] +rustls-tls-aws-lc-rs-manual-roots = ["rustls-base-aws-lc-rs"] +rustls-tls-aws-lc-rs-webpki-roots = ["dep:webpki-roots", "rustls-base-aws-lc-rs"] +rustls-tls-aws-lc-rs-native-roots = ["dep:rustls-native-certs", "rustls-base-aws-lc-rs"] + +rustls-base-ring = ["rustls-base", "rustls/ring"] +rustls-base-aws-lc-rs = ["rustls-base", "rustls/aws_lc_rs"] +rustls-base = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "rustls-pki-types"] blocking = ["futures-channel/sink", "futures-util/io", "futures-util/sink", "tokio/rt-multi-thread", "tokio/sync"] @@ -82,10 +89,6 @@ macos-system-configuration = ["dep:system-configuration"] # Enables common types used for TLS. Useless on its own. __tls = ["dep:rustls-pemfile", "tokio/io-util"] -# Enables common rustls code. -# Equivalent to rustls-tls-manual-roots but shorter :) -__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "rustls-pki-types"] - # When enabled, disable using the cached SYS_PROXIES. __internal_proxy_sys_no_cache = [] @@ -132,10 +135,10 @@ native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls" tokio-native-tls = { version = "0.3.0", optional = true } # rustls-tls -hyper-rustls = { version = "0.26.0", default-features = false, optional = true } -rustls = { version = "0.22.2", optional = true } -rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true } -tokio-rustls = { version = "0.25", optional = true } +hyper-rustls = { version = "0.27", default-features = false, optional = true, features = ["http1", "http2", "logging", "native-tokio", "ring", "tls12"] } +rustls = { version = "0.23.4", default-features = false, features = ["logging", "std", "tls12"], optional = true } +rustls-pki-types = { version = "1.1.0", features = ["alloc"], optional = true } +tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "ring", "tls12"], optional = true } webpki-roots = { version = "0.26.0", optional = true } rustls-native-certs = { version = "0.7", optional = true } diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs index 079bd259d..c77208ef0 100644 --- a/src/async_impl/client.rs +++ b/src/async_impl/client.rs @@ -1,4 +1,4 @@ -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] use std::any::Any; use std::net::IpAddr; use std::sync::Arc; @@ -43,7 +43,7 @@ use crate::redirect::{self, remove_sensitive_headers}; use crate::tls::{self, TlsBackend}; #[cfg(feature = "__tls")] use crate::Certificate; -#[cfg(any(feature = "native-tls", feature = "__rustls"))] +#[cfg(any(feature = "native-tls", feature = "rustls-base"))] use crate::Identity; use crate::{IntoUrl, Method, Proxy, StatusCode, Url}; use log::debug; @@ -102,7 +102,7 @@ struct Config { pool_idle_timeout: Option, pool_max_idle_per_host: usize, tcp_keepalive: Option, - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] identity: Option, proxies: Vec, auto_sys_proxy: bool, @@ -205,7 +205,7 @@ impl ClientBuilder { root_certs: Vec::new(), #[cfg(feature = "__tls")] tls_built_in_root_certs: true, - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] identity: None, #[cfg(feature = "__tls")] min_tls_version: None, @@ -307,7 +307,7 @@ impl ClientBuilder { let mut http = HttpConnector::new_with_resolver(DynResolver::new(resolver.clone())); http.set_connect_timeout(config.connect_timeout); - #[cfg(all(feature = "http3", feature = "__rustls"))] + #[cfg(all(feature = "http3", feature = "rustls-base"))] let build_h3_connector = |resolver, tls, @@ -399,7 +399,7 @@ impl ClientBuilder { id.add_to_native_tls(&mut tls)?; } } - #[cfg(all(feature = "__rustls", not(feature = "native-tls")))] + #[cfg(all(feature = "rustls-base", not(feature = "native-tls")))] { // Default backend + rustls Identity doesn't work. if let Some(_id) = config.identity { @@ -456,7 +456,7 @@ impl ClientBuilder { config.nodelay, config.tls_info, ), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::BuiltRustls(conn) => { #[cfg(feature = "http3")] { @@ -488,7 +488,7 @@ impl ClientBuilder { config.tls_info, ) } - #[cfg(feature = "__rustls")] + #[cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))] TlsBackend::Rustls => { use crate::tls::NoVerifier; @@ -556,8 +556,19 @@ impl ClientBuilder { } // Build TLS config + #[cfg(feature = "rustls-base-ring")] + let provider = rustls::crypto::ring::default_provider(); + + #[cfg(all( + feature = "rustls-base-aws-lc-rs", + not(feature = "rustls-base-ring") + ))] + let provider = rustls::crypto::aws_lc_rs::default_provider(); + let config_builder = - rustls::ClientConfig::builder_with_protocol_versions(&versions) + rustls::ClientConfig::builder_with_provider(Arc::new(provider)) + .with_protocol_versions(&versions) + .map_err(|_| crate::error::builder("invalid TLS versions"))? .with_root_certificates(root_cert_store); // Finalize TLS config @@ -629,7 +640,7 @@ impl ClientBuilder { config.tls_info, ) } - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] TlsBackend::UnknownPreconfigured => { return Err(crate::error::builder( "Unknown TLS backend passed to `use_preconfigured_tls`", @@ -1357,7 +1368,7 @@ impl ClientBuilder { /// /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be /// enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn identity(mut self, identity: Identity) -> ClientBuilder { self.config.identity = Some(identity); @@ -1524,8 +1535,11 @@ impl ClientBuilder { /// # Optional /// /// This requires the optional `rustls-tls(-...)` feature to be enabled. - #[cfg(feature = "__rustls")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))] + #[cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))] + #[cfg_attr( + docsrs, + doc(cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))) + )] pub fn use_rustls_tls(mut self) -> ClientBuilder { self.config.tls = TlsBackend::Rustls; self @@ -1549,7 +1563,7 @@ impl ClientBuilder { /// /// This requires one of the optional features `native-tls` or /// `rustls-tls(-...)` to be enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder { let mut tls = Some(tls); @@ -1562,7 +1576,7 @@ impl ClientBuilder { return self; } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] { if let Some(conn) = (&mut tls as &mut dyn Any).downcast_mut::>() @@ -2154,7 +2168,7 @@ impl Config { f.field("tls_info", &self.tls_info); } - #[cfg(all(feature = "default-tls", feature = "__rustls"))] + #[cfg(all(feature = "default-tls", feature = "rustls-base"))] { f.field("tls_backend", &self.tls); } diff --git a/src/blocking/client.rs b/src/blocking/client.rs index 5b861cb3e..68c7f7739 100644 --- a/src/blocking/client.rs +++ b/src/blocking/client.rs @@ -1,4 +1,4 @@ -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] use std::any::Any; use std::convert::TryInto; use std::fmt; @@ -20,7 +20,7 @@ use super::wait; use crate::tls; #[cfg(feature = "__tls")] use crate::Certificate; -#[cfg(any(feature = "native-tls", feature = "__rustls"))] +#[cfg(any(feature = "native-tls", feature = "rustls-base"))] use crate::Identity; use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy}; @@ -621,7 +621,7 @@ impl ClientBuilder { /// /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be /// enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn identity(self, identity: Identity) -> ClientBuilder { self.with_inner(move |inner| inner.identity(identity)) @@ -765,7 +765,7 @@ impl ClientBuilder { /// # Optional /// /// This requires the optional `rustls-tls(-...)` feature to be enabled. - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))] pub fn use_rustls_tls(self) -> ClientBuilder { self.with_inner(move |inner| inner.use_rustls_tls()) @@ -808,7 +808,7 @@ impl ClientBuilder { /// /// This requires one of the optional features `native-tls` or /// `rustls-tls(-...)` to be enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder { self.with_inner(move |inner| inner.use_preconfigured_tls(tls)) diff --git a/src/connect.rs b/src/connect.rs index ff76c57f8..b5afabfaf 100644 --- a/src/connect.rs +++ b/src/connect.rs @@ -21,7 +21,7 @@ use std::time::Duration; #[cfg(feature = "default-tls")] use self::native_tls_conn::NativeTlsConn; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use self::rustls_tls_conn::RustlsTlsConn; use crate::dns::DynResolver; use crate::error::BoxError; @@ -49,7 +49,7 @@ enum Inner { Http(HttpConnector), #[cfg(feature = "default-tls")] DefaultTls(HttpConnector, TlsConnector), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] RustlsTls { http: HttpConnector, tls: Arc, @@ -148,7 +148,7 @@ impl Connector { } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn new_rustls_tls( mut http: HttpConnector, tls: rustls::ClientConfig, @@ -235,7 +235,7 @@ impl Connector { }); } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { tls, .. } => { if dst.scheme() == Some(&Scheme::HTTPS) { use std::convert::TryFrom; @@ -321,7 +321,7 @@ impl Connector { }) } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, tls, .. } => { let mut http = http.clone(); @@ -405,7 +405,7 @@ impl Connector { }); } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, tls, @@ -451,7 +451,7 @@ impl Connector { match &mut self.inner { #[cfg(feature = "default-tls")] Inner::DefaultTls(http, _tls) => http.set_keepalive(dur), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, .. } => http.set_keepalive(dur), #[cfg(not(feature = "__tls"))] Inner::Http(http) => http.set_keepalive(dur), @@ -571,7 +571,7 @@ impl TlsInfoFactory for hyper_tls::MaybeHttpsStream>> { fn tls_info(&self) -> Option { let peer_certificate = self @@ -584,7 +584,7 @@ impl TlsInfoFactory for tokio_rustls::client::TlsStream>>, @@ -601,7 +601,7 @@ impl TlsInfoFactory } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] impl TlsInfoFactory for hyper_rustls::MaybeHttpsStream> { fn tls_info(&self) -> Option { match self { @@ -910,7 +910,7 @@ mod native_tls_conn { } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] mod rustls_tls_conn { use super::TlsInfoFactory; use hyper::rt::{Read, ReadBufCursor, Write}; diff --git a/src/tls.rs b/src/tls.rs index 8f979b15b..ea1dc605e 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -44,12 +44,12 @@ //! //! [rustls]: https://crates.io/crates/rustls -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use rustls::{ client::danger::HandshakeSignatureValid, client::danger::ServerCertVerified, client::danger::ServerCertVerifier, DigitallySignedStruct, Error as TLSError, SignatureScheme, }; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use rustls_pki_types::{ServerName, UnixTime}; use std::{ fmt, @@ -61,11 +61,11 @@ use std::{ pub struct Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert, } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[derive(Clone)] enum Cert { Der(Vec), @@ -75,7 +75,10 @@ enum Cert { /// Represents a private key and X509 cert as a client certificate. #[derive(Clone)] pub struct Identity { - #[cfg_attr(not(any(feature = "native-tls", feature = "__rustls")), allow(unused))] + #[cfg_attr( + not(any(feature = "native-tls", feature = "rustls-base")), + allow(unused) + )] inner: ClientCert, } @@ -84,7 +87,7 @@ enum ClientCert { Pkcs12(native_tls_crate::Identity), #[cfg(feature = "native-tls")] Pkcs8(native_tls_crate::Identity), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Pem { key: rustls_pki_types::PrivateKeyDer<'static>, certs: Vec>, @@ -98,13 +101,13 @@ impl Clone for ClientCert { Self::Pkcs8(i) => Self::Pkcs8(i.clone()), #[cfg(feature = "native-tls")] Self::Pkcs12(i) => Self::Pkcs12(i.clone()), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] ClientCert::Pem { key, certs } => ClientCert::Pem { key: key.clone_key(), certs: certs.clone(), }, #[cfg_attr( - any(feature = "native-tls", feature = "__rustls"), + any(feature = "native-tls", feature = "rustls-base"), allow(unreachable_patterns) )] _ => unreachable!(), @@ -133,7 +136,7 @@ impl Certificate { Ok(Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate::from_der(der).map_err(crate::error::builder)?, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert::Der(der.to_owned()), }) } @@ -158,7 +161,7 @@ impl Certificate { Ok(Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate::from_pem(pem).map_err(crate::error::builder)?, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert::Pem(pem.to_owned()), }) } @@ -194,7 +197,7 @@ impl Certificate { tls.add_root_certificate(self.native); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn add_to_rustls( self, root_cert_store: &mut rustls::RootCertStore, @@ -328,7 +331,7 @@ impl Identity { /// # Optional /// /// This requires the `rustls-tls(-...)` Cargo feature enabled. - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub fn from_pem(buf: &[u8]) -> crate::Result { use rustls_pemfile::Item; use std::io::Cursor; @@ -381,12 +384,12 @@ impl Identity { tls.identity(id); Ok(()) } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] ClientCert::Pem { .. } => Err(crate::error::builder("incompatible TLS identity type")), } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn add_to_rustls( self, config_builder: rustls::ConfigBuilder< @@ -454,7 +457,7 @@ impl Version { } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn from_rustls(version: rustls::ProtocolVersion) -> Option { match version { rustls::ProtocolVersion::SSLv2 => None, @@ -475,11 +478,11 @@ pub(crate) enum TlsBackend { Default, #[cfg(feature = "native-tls")] BuiltNativeTls(native_tls_crate::TlsConnector), - #[cfg(feature = "__rustls")] + #[cfg(any(feature = "rustls-base-ring", feature = "rustls-base-aws-lc-rs"))] Rustls, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] BuiltRustls(rustls::ClientConfig), - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] UnknownPreconfigured, } @@ -490,11 +493,11 @@ impl fmt::Debug for TlsBackend { TlsBackend::Default => write!(f, "Default"), #[cfg(feature = "native-tls")] TlsBackend::BuiltNativeTls(_) => write!(f, "BuiltNativeTls"), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::Rustls => write!(f, "Rustls"), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::BuiltRustls(_) => write!(f, "BuiltRustls"), - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] TlsBackend::UnknownPreconfigured => write!(f, "UnknownPreconfigured"), } } @@ -508,7 +511,7 @@ impl Default for TlsBackend { } #[cfg(any( - all(feature = "__rustls", not(feature = "default-tls")), + all(feature = "rustls-base", not(feature = "default-tls")), feature = "http3" ))] { @@ -517,11 +520,11 @@ impl Default for TlsBackend { } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[derive(Debug)] pub(crate) struct NoVerifier; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] impl ServerCertVerifier for NoVerifier { fn verify_server_cert( &self, @@ -619,13 +622,13 @@ mod tests { Identity::from_pkcs8_pem(b"not pem", b"not key").unwrap_err(); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[test] fn identity_from_pem_invalid() { Identity::from_pem(b"not pem").unwrap_err(); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[test] fn identity_from_pem_pkcs1_key() { let pem = b"-----BEGIN CERTIFICATE-----\n\ diff --git a/tests/client.rs b/tests/client.rs index bc6002fc7..f6964f2bf 100644 --- a/tests/client.rs +++ b/tests/client.rs @@ -313,7 +313,7 @@ async fn overridden_dns_resolution_with_hickory_dns_multiple() { assert_eq!("Hello", text); } -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[test] fn use_preconfigured_tls_with_bogus_backend() { struct DefinitelyNotTls; @@ -339,7 +339,7 @@ fn use_preconfigured_native_tls_default() { .expect("preconfigured default tls"); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[test] fn use_preconfigured_rustls_default() { extern crate rustls; @@ -355,7 +355,7 @@ fn use_preconfigured_rustls_default() { .expect("preconfigured rustls tls"); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[tokio::test] #[ignore = "Needs TLS support in the test server"] async fn http2_upgrade() { diff --git a/tests/redirect.rs b/tests/redirect.rs index c98c799ef..f474b7f88 100644 --- a/tests/redirect.rs +++ b/tests/redirect.rs @@ -348,7 +348,7 @@ async fn test_redirect_302_with_set_cookies() { assert_eq!(res.status(), reqwest::StatusCode::OK); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[tokio::test] #[ignore = "Needs TLS support in the test server"] async fn test_redirect_https_only_enforced_gh1312() {