wreq-rb 0.5.0 → 0.5.1

data/vendor/wreq/src/tls/conn/ext.rs

@@ -1,82 +1,91 @@
-use boring2::ssl::{SslConnectorBuilder, SslVerifyMode};
+use btls::ssl::{SslConnectorBuilder, SslVerifyMode};
 
 use crate::{
     Error,
     tls::{
-        CertificateCompressionAlgorithm,
-        conn::cert_compression::{
-            BrotliCertificateCompressor, ZlibCertificateCompressor, ZstdCertificateCompressor,
-        },
-        x509::CertStore,
+        compress::{self, CertificateCompressor},
+        trust::{CertStore, Identity},
     },
 };
 
 /// SslConnectorBuilderExt trait for `SslConnectorBuilder`.
 pub trait SslConnectorBuilderExt {
+    /// Configure the Identity for the given `SslConnectorBuilder`.
+    fn set_identity(self, identity: Option<&Identity>) -> crate::Result<SslConnectorBuilder>;
+
     /// Configure the CertStore for the given `SslConnectorBuilder`.
     fn set_cert_store(self, store: Option<&CertStore>) -> crate::Result<SslConnectorBuilder>;
 
     /// Configure the certificate verification for the given `SslConnectorBuilder`.
-    fn set_cert_verification(self, enable: bool) -> crate::Result<SslConnectorBuilder>;
+    fn set_cert_verification(self, enable: bool) -> SslConnectorBuilder;
 
-    /// Configure the certificate compression algorithm for the given `SslConnectorBuilder`.
-    fn add_certificate_compression_algorithms(
+    /// Configure the certificate compressors for the given `SslConnectorBuilder`.
+    fn set_cert_compressors(
         self,
-        algs: Option<&[CertificateCompressionAlgorithm]>,
+        compressors: Option<&[&'static dyn CertificateCompressor]>,
     ) -> crate::Result<SslConnectorBuilder>;
 }
 
 impl SslConnectorBuilderExt for SslConnectorBuilder {
-    #[inline]
+    fn set_identity(mut self, identity: Option<&Identity>) -> crate::Result<SslConnectorBuilder> {
+        if let Some(identity) = identity {
+            self.set_certificate(&identity.cert).map_err(Error::tls)?;
+            self.set_private_key(&identity.pkey).map_err(Error::tls)?;
+            for cert in identity.chain.iter() {
+                // https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_extra_chain_cert.html
+                // specifies that "When sending a certificate chain, extra chain certificates are
+                // sent in order following the end entity certificate."
+                self.add_extra_chain_cert(cert.clone())
+                    .map_err(Error::tls)?;
+            }
+        }
+        Ok(self)
+    }
+
     fn set_cert_store(mut self, store: Option<&CertStore>) -> crate::Result<SslConnectorBuilder> {
         if let Some(store) = store {
-            store.add_to_tls(&mut self);
+            self.set_cert_store_ref(&store.0)
         } else {
-            self.set_default_verify_paths().map_err(Error::tls)?;
+            #[cfg(feature = "webpki-roots")]
+            {
+                static LOAD_CERTS: std::sync::LazyLock<CertStore> =
+                    std::sync::LazyLock::new(|| {
+                        CertStore::from_der_certs(webpki_root_certs::TLS_SERVER_ROOT_CERTS)
+                            .expect("Failed to load webpki root certificates")
+                    });
+
+                self.set_cert_store_ref(&LOAD_CERTS.0);
+            }
+
+            #[cfg(not(feature = "webpki-roots"))]
+            {
+                self.set_default_verify_paths().map_err(Error::tls)?;
+            }
         }
 
         Ok(self)
     }
 
-    #[inline]
-    fn set_cert_verification(mut self, enable: bool) -> crate::Result<SslConnectorBuilder> {
-        if enable {
-            self.set_verify(SslVerifyMode::PEER);
+    fn set_cert_verification(mut self, enable: bool) -> SslConnectorBuilder {
+        self.set_verify(if enable {
+            SslVerifyMode::PEER
         } else {
-            self.set_verify(SslVerifyMode::NONE);
-        }
-        Ok(self)
+            SslVerifyMode::NONE
+        });
+
+        self
     }
 
-    #[inline]
-    fn add_certificate_compression_algorithms(
+    fn set_cert_compressors(
         mut self,
-        algs: Option<&[CertificateCompressionAlgorithm]>,
+        compressors: Option<&[&'static dyn CertificateCompressor]>,
     ) -> crate::Result<SslConnectorBuilder> {
-        if let Some(algs) = algs {
-            for algorithm in algs.iter() {
-                let res =
-                    match *algorithm {
-                        CertificateCompressionAlgorithm::ZLIB => self
-                            .add_certificate_compression_algorithm(
-                                ZlibCertificateCompressor::default(),
-                            ),
-                        CertificateCompressionAlgorithm::BROTLI => self
-                            .add_certificate_compression_algorithm(
-                                BrotliCertificateCompressor::default(),
-                            ),
-                        CertificateCompressionAlgorithm::ZSTD => self
-                            .add_certificate_compression_algorithm(
-                                ZstdCertificateCompressor::default(),
-                            ),
-                        _ => continue,
-                    };
-
-                if let Err(e) = res {
-                    return Err(Error::tls(e));
-                }
+        if let Some(compressors) = compressors {
+            for compressor in compressors {
+                compress::register(*compressor, &mut self).map_err(Error::tls)?;
             }
         }
+
         Ok(self)
     }
 }

data/vendor/wreq/src/tls/conn/service.rs

@@ -7,22 +7,18 @@ use std::{
 
 use http::{Uri, uri::Scheme};
 use tokio::io::{AsyncRead, AsyncWrite};
-use tokio_boring2::SslStream;
-use tower::Service;
+use tokio_btls::SslStream;
+use tower::{BoxError, Service};
 
 use super::{EstablishedConn, HttpsConnector, MaybeHttpsStream};
 use crate::{
-    client::{ConnectRequest, Connection},
-    error::BoxError,
+    conn::{Connection, descriptor::ConnectionDescriptor},
     ext::UriExt,
 };
 
 type BoxFuture<T, E> = Pin<Box<dyn Future<Output = Result<T, E>> + Send>>;
 
-async fn perform_handshake<T>(
-    ssl: boring2::ssl::Ssl,
-    conn: T,
-) -> Result<MaybeHttpsStream<T>, BoxError>
+async fn perform_handshake<T>(ssl: btls::ssl::Ssl, conn: T) -> Result<MaybeHttpsStream<T>, BoxError>
 where
     T: AsyncRead + AsyncWrite + Unpin,
 {
@@ -49,7 +45,7 @@ where
 
     fn call(&mut self, uri: Uri) -> Self::Future {
         let connect = self.http.call(uri.clone());
-        let inner = self.inner.clone();
+        let tls = self.tls.clone();
 
         let f = async move {
             let conn = connect.await.map_err(Into::into)?;
@@ -59,7 +55,7 @@ where
                 return Ok(MaybeHttpsStream::Http(conn));
             }
 
-            let ssl = inner.setup_ssl(uri)?;
+            let ssl = tls.setup_ssl(uri)?;
             perform_handshake(ssl, conn).await
         };
 
@@ -67,7 +63,7 @@ where
     }
 }
 
-impl<T, S> Service<ConnectRequest> for HttpsConnector<S>
+impl<T, S> Service<ConnectionDescriptor> for HttpsConnector<S>
 where
     S: Service<Uri, Response = T> + Send,
     S::Error: Into<BoxError>,
@@ -83,10 +79,10 @@ where
         self.http.poll_ready(cx).map_err(Into::into)
     }
 
-    fn call(&mut self, req: ConnectRequest) -> Self::Future {
-        let uri = req.uri().clone();
+    fn call(&mut self, descriptor: ConnectionDescriptor) -> Self::Future {
+        let uri = descriptor.uri().clone();
         let connect = self.http.call(uri.clone());
-        let inner = self.inner.clone();
+        let tls = self.tls.clone();
 
         let f = async move {
             let conn = connect.await.map_err(Into::into)?;
@@ -96,7 +92,7 @@ where
                 return Ok(MaybeHttpsStream::Http(conn));
             }
 
-            let ssl = inner.setup_ssl2(req)?;
+            let ssl = tls.setup_ssl2(descriptor)?;
             perform_handshake(ssl, conn).await
         };
 
@@ -122,14 +118,14 @@ where
     }
 
     fn call(&mut self, conn: EstablishedConn<IO>) -> Self::Future {
-        let inner = self.inner.clone();
+        let tls = self.tls.clone();
         let fut = async move {
             // Early return if it is not a tls scheme
-            if conn.req.uri().is_http() {
+            if conn.descriptor.uri().is_http() {
                 return Ok(MaybeHttpsStream::Http(conn.io));
             }
 
-            let ssl = inner.setup_ssl2(conn.req)?;
+            let ssl = tls.setup_ssl2(conn.descriptor)?;
             perform_handshake(ssl, conn.io).await
         };