From bd909b81ac9ef689cbb07f2661aed432e5fb1494 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 29 Mar 2024 15:23:12 +0100 Subject: [PATCH] Upgrade to hyper-rustls 0.27 and rustls 0.23 --- CHANGELOG.md | 6 +-- Cargo.toml | 28 +++++++++----- src/async_impl/client.rs | 79 ++++++++++++++++++++++++++-------------- src/blocking/client.rs | 18 ++++----- src/connect.rs | 22 +++++------ src/lib.rs | 28 ++++++++++---- src/tls.rs | 58 ++++++++++++++++------------- tests/badssl.rs | 5 +-- tests/client.rs | 6 +-- tests/redirect.rs | 2 +- 10 files changed, 149 insertions(+), 103 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dea63e5a..9e59591d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -715,12 +715,12 @@ - Timeouts now affect DNS and socket connection. - Pool much better at evicting sockets when they die. - An `unstable` Cargo feature to enable `reqwest::unstable::async`. -- A huge docs improvement! +- A huge docs improvement! ### Fixes - Publicly exports `RedirectAction` and `RedirectAttempt` -- `Error::get_ref` returns `Error + Send + Sync` +- `Error::get_ref` returns `Error + Send + Sync` ### Breaking Changes @@ -789,7 +789,7 @@ ### Breaking Changes -The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`. +The only breaking change is a behavioral one, all programs should still compile without modification. The automatic GZIP decoding could interfere in cases where a user was expecting the GZIP bytes, either to save to a file or decode themselves. To restore this functionality, set `client.gzip(false)`. # v0.4.0 diff --git a/Cargo.toml b/Cargo.toml index 10a0e8815..f68355e77 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -41,9 +41,13 @@ native-tls-alpn = ["native-tls", "native-tls-crate?/alpn", "hyper-tls?/alpn"] native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"] rustls-tls = ["rustls-tls-webpki-roots"] -rustls-tls-manual-roots = ["__rustls"] -rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"] -rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"] +rustls-tls-manual-roots = ["__rustls_crypto_ring"] +rustls-tls-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_ring"] +rustls-tls-native-roots = ["__rustls_roots_native", "__rustls_crypto_ring"] +rustls-tls-aws-lc-manual-roots = ["__rustls_crypto_aws_lc"] +rustls-tls-aws-lc-webpki-roots = ["__rustls_roots_webpki", "__rustls_crypto_aws_lc"] +rustls-tls-aws-lc-native-roots = ["__rustls_roots_native", "__rustls_crypto_aws_lc"] +rustls-base = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "rustls-pki-types"] blocking = ["futures-channel/sink", "futures-util/io", "futures-util/sink", "tokio/sync"] @@ -84,9 +88,13 @@ macos-system-configuration = ["dep:system-configuration"] # Enables common types used for TLS. Useless on its own. __tls = ["dep:rustls-pemfile", "tokio/io-util"] -# Enables common rustls code. -# Equivalent to rustls-tls-manual-roots but shorter :) -__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "rustls-pki-types"] +# Provide common feature flags along two axes: +# - crypto provider: ring or aws-lc +# - root certificate provider: webpki-roots or rustls-native-certs +__rustls_roots_webpki = ["dep:webpki-roots"] +__rustls_roots_native = ["dep:rustls-native-certs"] +__rustls_crypto_ring = ["rustls-base", "rustls/ring"] +__rustls_crypto_aws_lc = ["rustls-base", "rustls/aws_lc_rs"] # When enabled, disable using the cached SYS_PROXIES. __internal_proxy_sys_no_cache = [] @@ -134,10 +142,10 @@ native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls" tokio-native-tls = { version = "0.3.0", optional = true } # rustls-tls -hyper-rustls = { version = "0.26.0", default-features = false, optional = true } -rustls = { version = "0.22.2", optional = true } -rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true } -tokio-rustls = { version = "0.25", optional = true } +hyper-rustls = { version = "0.27", default-features = false, optional = true, features = ["http1", "http2", "logging", "native-tokio", "ring", "tls12"] } +rustls = { version = "0.23.4", default-features = false, features = ["logging", "std", "tls12"], optional = true } +rustls-pki-types = { version = "1.1.0", features = ["alloc"], optional = true } +tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "ring", "tls12"], optional = true } webpki-roots = { version = "0.26.0", optional = true } rustls-native-certs = { version = "0.7", optional = true } diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs index 22519f535..25debf92f 100644 --- a/src/async_impl/client.rs +++ b/src/async_impl/client.rs @@ -1,4 +1,4 @@ -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] use std::any::Any; use std::net::IpAddr; use std::sync::Arc; @@ -43,7 +43,7 @@ use crate::redirect::{self, remove_sensitive_headers}; use crate::tls::{self, TlsBackend}; #[cfg(feature = "__tls")] use crate::Certificate; -#[cfg(any(feature = "native-tls", feature = "__rustls"))] +#[cfg(any(feature = "native-tls", feature = "rustls-base"))] use crate::Identity; use crate::{IntoUrl, Method, Proxy, StatusCode, Url}; use log::debug; @@ -102,7 +102,7 @@ struct Config { pool_idle_timeout: Option, pool_max_idle_per_host: usize, tcp_keepalive: Option, - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] identity: Option, proxies: Vec, auto_sys_proxy: bool, @@ -114,9 +114,9 @@ struct Config { root_certs: Vec, #[cfg(feature = "__tls")] tls_built_in_root_certs: bool, - #[cfg(feature = "rustls-tls-webpki-roots")] + #[cfg(feature = "__rustls_roots_webpki")] tls_built_in_certs_webpki: bool, - #[cfg(feature = "rustls-tls-native-roots")] + #[cfg(feature = "__rustls_roots_native")] tls_built_in_certs_native: bool, #[cfg(feature = "__tls")] min_tls_version: Option, @@ -211,11 +211,11 @@ impl ClientBuilder { root_certs: Vec::new(), #[cfg(feature = "__tls")] tls_built_in_root_certs: true, - #[cfg(feature = "rustls-tls-webpki-roots")] + #[cfg(feature = "__rustls_roots_webpki")] tls_built_in_certs_webpki: true, - #[cfg(feature = "rustls-tls-native-roots")] + #[cfg(feature = "__rustls_roots_native")] tls_built_in_certs_native: true, - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] identity: None, #[cfg(feature = "__tls")] min_tls_version: None, @@ -317,7 +317,7 @@ impl ClientBuilder { let mut http = HttpConnector::new_with_resolver(DynResolver::new(resolver.clone())); http.set_connect_timeout(config.connect_timeout); - #[cfg(all(feature = "http3", feature = "__rustls"))] + #[cfg(all(feature = "http3", feature = "rustls-base"))] let build_h3_connector = |resolver, tls, @@ -409,7 +409,7 @@ impl ClientBuilder { id.add_to_native_tls(&mut tls)?; } } - #[cfg(all(feature = "__rustls", not(feature = "native-tls")))] + #[cfg(all(feature = "rustls-base", not(feature = "native-tls")))] { // Default backend + rustls Identity doesn't work. if let Some(_id) = config.identity { @@ -466,7 +466,7 @@ impl ClientBuilder { config.nodelay, config.tls_info, ), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::BuiltRustls(conn) => { #[cfg(feature = "http3")] { @@ -498,7 +498,10 @@ impl ClientBuilder { config.tls_info, ) } - #[cfg(feature = "__rustls")] + #[cfg(any( + feature = "__rustls_crypto_ring", + feature = "__rustls_crypto_aws_lc-rs" + ))] TlsBackend::Rustls => { use crate::tls::NoVerifier; @@ -508,12 +511,12 @@ impl ClientBuilder { cert.add_to_rustls(&mut root_cert_store)?; } - #[cfg(feature = "rustls-tls-webpki-roots")] + #[cfg(feature = "__rustls_roots_webpki")] if config.tls_built_in_certs_webpki { root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); } - #[cfg(feature = "rustls-tls-native-roots")] + #[cfg(feature = "__rustls_roots_native")] if config.tls_built_in_certs_native { let mut valid_count = 0; let mut invalid_count = 0; @@ -566,8 +569,19 @@ impl ClientBuilder { } // Build TLS config + #[cfg(feature = "__rustls_crypto_ring")] + let provider = rustls::crypto::ring::default_provider(); + + #[cfg(all( + feature = "__rustls_crypto_aws_lc-rs", + not(feature = "__rustls_crypto_ring") + ))] + let provider = rustls::crypto::aws_lc_rs::default_provider(); + let config_builder = - rustls::ClientConfig::builder_with_protocol_versions(&versions) + rustls::ClientConfig::builder_with_provider(Arc::new(provider)) + .with_protocol_versions(&versions) + .map_err(|_| crate::error::builder("invalid TLS versions"))? .with_root_certificates(root_cert_store); // Finalize TLS config @@ -639,7 +653,7 @@ impl ClientBuilder { config.tls_info, ) } - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] TlsBackend::UnknownPreconfigured => { return Err(crate::error::builder( "Unknown TLS backend passed to `use_preconfigured_tls`", @@ -1400,12 +1414,12 @@ impl ClientBuilder { pub fn tls_built_in_root_certs(mut self, tls_built_in_root_certs: bool) -> ClientBuilder { self.config.tls_built_in_root_certs = tls_built_in_root_certs; - #[cfg(feature = "rustls-tls-webpki-roots")] + #[cfg(feature = "__rustls_roots_webpki")] { self.config.tls_built_in_certs_webpki = tls_built_in_root_certs; } - #[cfg(feature = "rustls-tls-native-roots")] + #[cfg(feature = "__rustls_roots_native")] { self.config.tls_built_in_certs_native = tls_built_in_root_certs; } @@ -1416,8 +1430,8 @@ impl ClientBuilder { /// Sets whether to load webpki root certs with rustls. /// /// If the feature is enabled, this value is `true` by default. - #[cfg(feature = "rustls-tls-webpki-roots")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))] + #[cfg(feature = "__rustls_roots_webpki")] + #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))] pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder { self.config.tls_built_in_certs_webpki = enabled; self @@ -1426,8 +1440,8 @@ impl ClientBuilder { /// Sets whether to load native root certs with rustls. /// /// If the feature is enabled, this value is `true` by default. - #[cfg(feature = "rustls-tls-native-roots")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))] + #[cfg(feature = "__rustls_roots_native")] + #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))] pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder { self.config.tls_built_in_certs_native = enabled; self @@ -1439,7 +1453,7 @@ impl ClientBuilder { /// /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be /// enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn identity(mut self, identity: Identity) -> ClientBuilder { self.config.identity = Some(identity); @@ -1606,8 +1620,17 @@ impl ClientBuilder { /// # Optional /// /// This requires the optional `rustls-tls(-...)` feature to be enabled. - #[cfg(feature = "__rustls")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))] + #[cfg(any( + feature = "__rustls_crypto_ring", + feature = "__rustls_crypto_aws_lc-rs" + ))] + #[cfg_attr( + docsrs, + doc(cfg(any( + feature = "__rustls_crypto_ring", + feature = "__rustls_crypto_aws_lc-rs" + ))) + )] pub fn use_rustls_tls(mut self) -> ClientBuilder { self.config.tls = TlsBackend::Rustls; self @@ -1631,7 +1654,7 @@ impl ClientBuilder { /// /// This requires one of the optional features `native-tls` or /// `rustls-tls(-...)` to be enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn use_preconfigured_tls(mut self, tls: impl Any) -> ClientBuilder { let mut tls = Some(tls); @@ -1644,7 +1667,7 @@ impl ClientBuilder { return self; } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] { if let Some(conn) = (&mut tls as &mut dyn Any).downcast_mut::>() @@ -2244,7 +2267,7 @@ impl Config { f.field("tls_info", &self.tls_info); } - #[cfg(all(feature = "default-tls", feature = "__rustls"))] + #[cfg(all(feature = "default-tls", feature = "rustls-base"))] { f.field("tls_backend", &self.tls); } diff --git a/src/blocking/client.rs b/src/blocking/client.rs index 9e6772910..14b0fde07 100644 --- a/src/blocking/client.rs +++ b/src/blocking/client.rs @@ -1,4 +1,4 @@ -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] use std::any::Any; use std::convert::TryInto; use std::fmt; @@ -21,7 +21,7 @@ use crate::dns::Resolve; use crate::tls; #[cfg(feature = "__tls")] use crate::Certificate; -#[cfg(any(feature = "native-tls", feature = "__rustls"))] +#[cfg(any(feature = "native-tls", feature = "rustls-base"))] use crate::Identity; use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy}; @@ -630,8 +630,8 @@ impl ClientBuilder { /// Sets whether to load webpki root certs with rustls. /// /// If the feature is enabled, this value is `true` by default. - #[cfg(feature = "rustls-tls-webpki-roots")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))] + #[cfg(feature = "__rustls_roots_webpki")] + #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_webpki")))] pub fn tls_built_in_webpki_certs(self, enabled: bool) -> ClientBuilder { self.with_inner(move |inner| inner.tls_built_in_webpki_certs(enabled)) } @@ -639,8 +639,8 @@ impl ClientBuilder { /// Sets whether to load native root certs with rustls. /// /// If the feature is enabled, this value is `true` by default. - #[cfg(feature = "rustls-tls-native-roots")] - #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))] + #[cfg(feature = "__rustls_roots_native")] + #[cfg_attr(docsrs, doc(cfg(feature = "__rustls_roots_native")))] pub fn tls_built_in_native_certs(self, enabled: bool) -> ClientBuilder { self.with_inner(move |inner| inner.tls_built_in_native_certs(enabled)) } @@ -651,7 +651,7 @@ impl ClientBuilder { /// /// This requires the optional `native-tls` or `rustls-tls(-...)` feature to be /// enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls"))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn identity(self, identity: Identity) -> ClientBuilder { self.with_inner(move |inner| inner.identity(identity)) @@ -795,7 +795,7 @@ impl ClientBuilder { /// # Optional /// /// This requires the optional `rustls-tls(-...)` feature to be enabled. - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))] pub fn use_rustls_tls(self) -> ClientBuilder { self.with_inner(move |inner| inner.use_rustls_tls()) @@ -838,7 +838,7 @@ impl ClientBuilder { /// /// This requires one of the optional features `native-tls` or /// `rustls-tls(-...)` to be enabled. - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[cfg_attr(docsrs, doc(cfg(any(feature = "native-tls", feature = "rustls-tls"))))] pub fn use_preconfigured_tls(self, tls: impl Any) -> ClientBuilder { self.with_inner(move |inner| inner.use_preconfigured_tls(tls)) diff --git a/src/connect.rs b/src/connect.rs index ff76c57f8..b5afabfaf 100644 --- a/src/connect.rs +++ b/src/connect.rs @@ -21,7 +21,7 @@ use std::time::Duration; #[cfg(feature = "default-tls")] use self::native_tls_conn::NativeTlsConn; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use self::rustls_tls_conn::RustlsTlsConn; use crate::dns::DynResolver; use crate::error::BoxError; @@ -49,7 +49,7 @@ enum Inner { Http(HttpConnector), #[cfg(feature = "default-tls")] DefaultTls(HttpConnector, TlsConnector), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] RustlsTls { http: HttpConnector, tls: Arc, @@ -148,7 +148,7 @@ impl Connector { } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn new_rustls_tls( mut http: HttpConnector, tls: rustls::ClientConfig, @@ -235,7 +235,7 @@ impl Connector { }); } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { tls, .. } => { if dst.scheme() == Some(&Scheme::HTTPS) { use std::convert::TryFrom; @@ -321,7 +321,7 @@ impl Connector { }) } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, tls, .. } => { let mut http = http.clone(); @@ -405,7 +405,7 @@ impl Connector { }); } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, tls, @@ -451,7 +451,7 @@ impl Connector { match &mut self.inner { #[cfg(feature = "default-tls")] Inner::DefaultTls(http, _tls) => http.set_keepalive(dur), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Inner::RustlsTls { http, .. } => http.set_keepalive(dur), #[cfg(not(feature = "__tls"))] Inner::Http(http) => http.set_keepalive(dur), @@ -571,7 +571,7 @@ impl TlsInfoFactory for hyper_tls::MaybeHttpsStream>> { fn tls_info(&self) -> Option { let peer_certificate = self @@ -584,7 +584,7 @@ impl TlsInfoFactory for tokio_rustls::client::TlsStream>>, @@ -601,7 +601,7 @@ impl TlsInfoFactory } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] impl TlsInfoFactory for hyper_rustls::MaybeHttpsStream> { fn tls_info(&self) -> Option { match self { @@ -910,7 +910,7 @@ mod native_tls_conn { } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] mod rustls_tls_conn { use super::TlsInfoFactory; use hyper::rt::{Read, ReadBufCursor, Write}; diff --git a/src/lib.rs b/src/lib.rs index d62cb8210..831e3e7f7 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -184,14 +184,26 @@ //! - **native-tls**: Enables TLS functionality provided by `native-tls`. //! - **native-tls-vendored**: Enables the `vendored` feature of `native-tls`. //! - **native-tls-alpn**: Enables the `alpn` feature of `native-tls`. -//! - **rustls-tls**: Enables TLS functionality provided by `rustls`. -//! Equivalent to `rustls-tls-webpki-roots`. -//! - **rustls-tls-manual-roots**: Enables TLS functionality provided by `rustls`, -//! without setting any root certificates. Roots have to be specified manually. -//! - **rustls-tls-webpki-roots**: Enables TLS functionality provided by `rustls`, -//! while using root certificates from the `webpki-roots` crate. -//! - **rustls-tls-native-roots**: Enables TLS functionality provided by `rustls`, -//! while using root certificates from the `rustls-native-certs` crate. +//! - **rustls-tls**: Enables TLS functionality provided by `rustls` with the +//! ring crypto provider. Equivalent to `rustls-tls-webpki-roots`. +//! - **rustls-tls-manual-roots**: Enables TLS functionality provided by `rustls` +//! with the ring crypto provider, without setting any root certificates. Roots +//! have to be specified manually. +//! - **rustls-tls-webpki-roots**: Enables TLS functionality provided by `rustls` +//! with the ring crypto provider, while using root certificates from the +//! `webpki-roots` crate. +//! - **rustls-tls-native-roots**: Enables TLS functionality provided by `rustls` +//! with the ring crypto provider, while using root certificates from the +//! `rustls-native-certs` crate. +//! - **rustls-tls-aws-lc-manual-roots**: Enables TLS functionality provided by `rustls` +//! with the aws-lc-rs crypto provider, without setting any root certificates. Roots +//! have to be specified manually. +//! - **rustls-tls-aws-lc-webpki-roots**: Enables TLS functionality provided by `rustls` +//! with the aws-lc-rs crypto provider, while using root certificates from the +//! `webpki-roots` crate. +//! - **rustls-tls-aws-lc-native-roots**: Enables TLS functionality provided by `rustls` +//! with the aws-lc-rs crypto provider, while using root certificates from the +//! `rustls-native-certs` crate. //! - **blocking**: Provides the [blocking][] client API. //! - **charset** *(enabled by default)*: Improved support for decoding text. //! - **cookies**: Provides cookie session support. diff --git a/src/tls.rs b/src/tls.rs index 8f979b15b..6ea675ef4 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -44,12 +44,12 @@ //! //! [rustls]: https://crates.io/crates/rustls -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use rustls::{ client::danger::HandshakeSignatureValid, client::danger::ServerCertVerified, client::danger::ServerCertVerifier, DigitallySignedStruct, Error as TLSError, SignatureScheme, }; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] use rustls_pki_types::{ServerName, UnixTime}; use std::{ fmt, @@ -61,11 +61,11 @@ use std::{ pub struct Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert, } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[derive(Clone)] enum Cert { Der(Vec), @@ -75,7 +75,10 @@ enum Cert { /// Represents a private key and X509 cert as a client certificate. #[derive(Clone)] pub struct Identity { - #[cfg_attr(not(any(feature = "native-tls", feature = "__rustls")), allow(unused))] + #[cfg_attr( + not(any(feature = "native-tls", feature = "rustls-base")), + allow(unused) + )] inner: ClientCert, } @@ -84,7 +87,7 @@ enum ClientCert { Pkcs12(native_tls_crate::Identity), #[cfg(feature = "native-tls")] Pkcs8(native_tls_crate::Identity), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] Pem { key: rustls_pki_types::PrivateKeyDer<'static>, certs: Vec>, @@ -98,13 +101,13 @@ impl Clone for ClientCert { Self::Pkcs8(i) => Self::Pkcs8(i.clone()), #[cfg(feature = "native-tls")] Self::Pkcs12(i) => Self::Pkcs12(i.clone()), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] ClientCert::Pem { key, certs } => ClientCert::Pem { key: key.clone_key(), certs: certs.clone(), }, #[cfg_attr( - any(feature = "native-tls", feature = "__rustls"), + any(feature = "native-tls", feature = "rustls-base"), allow(unreachable_patterns) )] _ => unreachable!(), @@ -133,7 +136,7 @@ impl Certificate { Ok(Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate::from_der(der).map_err(crate::error::builder)?, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert::Der(der.to_owned()), }) } @@ -158,7 +161,7 @@ impl Certificate { Ok(Certificate { #[cfg(feature = "default-tls")] native: native_tls_crate::Certificate::from_pem(pem).map_err(crate::error::builder)?, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] original: Cert::Pem(pem.to_owned()), }) } @@ -194,7 +197,7 @@ impl Certificate { tls.add_root_certificate(self.native); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn add_to_rustls( self, root_cert_store: &mut rustls::RootCertStore, @@ -328,7 +331,7 @@ impl Identity { /// # Optional /// /// This requires the `rustls-tls(-...)` Cargo feature enabled. - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub fn from_pem(buf: &[u8]) -> crate::Result { use rustls_pemfile::Item; use std::io::Cursor; @@ -381,12 +384,12 @@ impl Identity { tls.identity(id); Ok(()) } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] ClientCert::Pem { .. } => Err(crate::error::builder("incompatible TLS identity type")), } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn add_to_rustls( self, config_builder: rustls::ConfigBuilder< @@ -454,7 +457,7 @@ impl Version { } } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] pub(crate) fn from_rustls(version: rustls::ProtocolVersion) -> Option { match version { rustls::ProtocolVersion::SSLv2 => None, @@ -475,11 +478,14 @@ pub(crate) enum TlsBackend { Default, #[cfg(feature = "native-tls")] BuiltNativeTls(native_tls_crate::TlsConnector), - #[cfg(feature = "__rustls")] + #[cfg(any( + feature = "__rustls_crypto_ring", + feature = "__rustls_crypto_aws_lc-rs" + ))] Rustls, - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] BuiltRustls(rustls::ClientConfig), - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] UnknownPreconfigured, } @@ -490,11 +496,11 @@ impl fmt::Debug for TlsBackend { TlsBackend::Default => write!(f, "Default"), #[cfg(feature = "native-tls")] TlsBackend::BuiltNativeTls(_) => write!(f, "BuiltNativeTls"), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::Rustls => write!(f, "Rustls"), - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] TlsBackend::BuiltRustls(_) => write!(f, "BuiltRustls"), - #[cfg(any(feature = "native-tls", feature = "__rustls",))] + #[cfg(any(feature = "native-tls", feature = "rustls-base"))] TlsBackend::UnknownPreconfigured => write!(f, "UnknownPreconfigured"), } } @@ -508,7 +514,7 @@ impl Default for TlsBackend { } #[cfg(any( - all(feature = "__rustls", not(feature = "default-tls")), + all(feature = "rustls-base", not(feature = "default-tls")), feature = "http3" ))] { @@ -517,11 +523,11 @@ impl Default for TlsBackend { } } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[derive(Debug)] pub(crate) struct NoVerifier; -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] impl ServerCertVerifier for NoVerifier { fn verify_server_cert( &self, @@ -619,13 +625,13 @@ mod tests { Identity::from_pkcs8_pem(b"not pem", b"not key").unwrap_err(); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[test] fn identity_from_pem_invalid() { Identity::from_pem(b"not pem").unwrap_err(); } - #[cfg(feature = "__rustls")] + #[cfg(feature = "rustls-base")] #[test] fn identity_from_pem_pkcs1_key() { let pem = b"-----BEGIN CERTIFICATE-----\n\ diff --git a/tests/badssl.rs b/tests/badssl.rs index 9b001d070..1c482612c 100644 --- a/tests/badssl.rs +++ b/tests/badssl.rs @@ -18,10 +18,7 @@ async fn test_badssl_modern() { assert!(text.contains("mozilla-modern.badssl.com")); } -#[cfg(any( - feature = "rustls-tls-webpki-roots", - feature = "rustls-tls-native-roots" -))] +#[cfg(any(feature = "__rustls_roots_webpki", feature = "__rustls_roots_native"))] #[tokio::test] async fn test_rustls_badssl_modern() { let text = reqwest::Client::builder() diff --git a/tests/client.rs b/tests/client.rs index 1639d68a0..3cdb420b3 100644 --- a/tests/client.rs +++ b/tests/client.rs @@ -319,7 +319,7 @@ async fn overridden_dns_resolution_with_hickory_dns_multiple() { assert_eq!("Hello", text); } -#[cfg(any(feature = "native-tls", feature = "__rustls",))] +#[cfg(any(feature = "native-tls", feature = "rustls-base",))] #[test] fn use_preconfigured_tls_with_bogus_backend() { struct DefinitelyNotTls; @@ -345,7 +345,7 @@ fn use_preconfigured_native_tls_default() { .expect("preconfigured default tls"); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[test] fn use_preconfigured_rustls_default() { extern crate rustls; @@ -361,7 +361,7 @@ fn use_preconfigured_rustls_default() { .expect("preconfigured rustls tls"); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[tokio::test] #[ignore = "Needs TLS support in the test server"] async fn http2_upgrade() { diff --git a/tests/redirect.rs b/tests/redirect.rs index c98c799ef..f474b7f88 100644 --- a/tests/redirect.rs +++ b/tests/redirect.rs @@ -348,7 +348,7 @@ async fn test_redirect_302_with_set_cookies() { assert_eq!(res.status(), reqwest::StatusCode::OK); } -#[cfg(feature = "__rustls")] +#[cfg(feature = "rustls-base")] #[tokio::test] #[ignore = "Needs TLS support in the test server"] async fn test_redirect_https_only_enforced_gh1312() {