awc: add rustls 0.23 support

This also fixes certificate lookup when native-roots is enabled for rustls 0.22.
2024-05-12 17:33:31 -05:00 · 2024-05-12 17:33:31 -05:00 · 22f44148ca
parent 50aa448fd7
commit 22f44148ca
2 changed files with 89 additions and 4 deletions
--- a/awc/Cargo.toml
+++ b/awc/Cargo.toml
@ -27,6 +27,7 @@ features = [
    "rustls-0_20",
    "rustls-0_21",
    "rustls-0_22-webpki-roots",
    "rustls-0_23-webpki-roots",
    "compress-brotli",
    "compress-gzip",
    "compress-zstd",
@ -48,6 +49,10 @@ rustls-0_21 = ["tls-rustls-0_21", "actix-tls/rustls-0_21"]
 rustls-0_22-webpki-roots = ["tls-rustls-0_22", "actix-tls/rustls-0_22-webpki-roots"]
 # TLS via Rustls v0.22 (Native roots)
 rustls-0_22-native-roots = ["tls-rustls-0_22", "actix-tls/rustls-0_22-native-roots"]
 # TLS via Rustls v0.22 (WebPKI roots)
 rustls-0_23-webpki-roots = ["tls-rustls-0_23", "actix-tls/rustls-0_23-webpki-roots"]
 # TLS via Rustls v0.22 (Native roots)
 rustls-0_23-native-roots = ["tls-rustls-0_23", "actix-tls/rustls-0_23-native-roots"]
 # Brotli algorithm content-encoding support
 compress-brotli = ["actix-http/compress-brotli", "__compress"]
@ -104,6 +109,7 @@ tls-openssl = { package = "openssl", version = "0.10.55", optional = true }
 tls-rustls-0_20 = { package = "rustls", version = "0.20", optional = true, features = ["dangerous_configuration"] }
 tls-rustls-0_21 = { package = "rustls", version = "0.21", optional = true, features = ["dangerous_configuration"] }
 tls-rustls-0_22 = { package = "rustls", version = "0.22", optional = true }
 tls-rustls-0_23 = { package = "rustls", version = "0.23", optional = true, default-features = false }
 trust-dns-resolver = { version = "0.23", optional = true }
--- a/awc/src/client/connector.rs
+++ b/awc/src/client/connector.rs
@ -57,6 +57,13 @@ enum OurTlsConnector {
    ))]
    #[allow(dead_code)] // false positive; used in build_tls
    Rustls022(std::sync::Arc<actix_tls::connect::rustls_0_22::reexports::ClientConfig>),
    #[cfg(any(
        feature = "rustls-0_23-webpki-roots",
        feature = "rustls-0_23-native-roots",
    ))]
    #[allow(dead_code)] // false positive; used in build_tls
    Rustls023(std::sync::Arc<actix_tls::connect::rustls_0_23::reexports::ClientConfig>),
 }
 /// Manages HTTP client network connectivity.
@ -96,10 +103,32 @@ impl Connector<()> {
    }
    cfg_if::cfg_if! {
-        if #[cfg(any(feature = "rustls-0_22-webpki-roots", feature = "rustls-0_22-webpki-roots"))] {
+        if #[cfg(any(feature = "rustls-0_23-webpki-roots", feature = "rustls-0_23-native-roots"))] {
-            /// Build TLS connector with Rustls v0.22, based on supplied ALPN protocols.
+            /// Build TLS connector with Rustls v0.23, based on supplied ALPN protocols.
            ///
-            /// Note that if other TLS crate features are enabled, Rustls v0.22 will be used.
+            /// Note that if other TLS crate features are enabled, Rustls v0.23 will be used.
            fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
                use actix_tls::connect::rustls_0_23::{self, reexports::ClientConfig};
                cfg_if::cfg_if! {
                    if #[cfg(feature = "rustls-0_23-webpki-roots")] {
                        let certs = rustls_0_23::webpki_roots_cert_store();
                    } else if #[cfg(feature = "rustls-0_23-native-roots")] {
                        let certs = rustls_0_23::native_roots_cert_store().expect("Failed to find native root certificates");
                    }
                }
                let mut config = ClientConfig::builder()
                    .with_root_certificates(certs)
                    .with_no_client_auth();
                config.alpn_protocols = protocols;
                OurTlsConnector::Rustls023(std::sync::Arc::new(config))
            }
        } else if #[cfg(any(feature = "rustls-0_22-webpki-roots", feature = "rustls-0_22-native-roots"))] {
            /// Build TLS connector with Rustls v0.22, based on supplied ALPN protocols.
            fn build_tls(protocols: Vec<Vec<u8>>) -> OurTlsConnector {
                use actix_tls::connect::rustls_0_22::{self, reexports::ClientConfig};
@ -107,7 +136,7 @@ impl Connector<()> {
                    if #[cfg(feature = "rustls-0_22-webpki-roots")] {
                        let certs = rustls_0_22::webpki_roots_cert_store();
                    } else if #[cfg(feature = "rustls-0_22-native-roots")] {
-                        let certs = rustls_0_22::native_roots_cert_store();
+                        let certs = rustls_0_22::native_roots_cert_store().expect("Failed to find native root certificates");
                    }
                }
@ -278,6 +307,19 @@ where
        self
    }
    /// Sets custom Rustls v0.23 `ClientConfig` instance.
    #[cfg(any(
        feature = "rustls-0_23-webpki-roots",
        feature = "rustls-0_23-native-roots",
    ))]
    pub fn rustls_0_23(
        mut self,
        connector: std::sync::Arc<actix_tls::connect::rustls_0_23::reexports::ClientConfig>,
    ) -> Self {
        self.tls = OurTlsConnector::Rustls023(connector);
        self
    }
    /// Sets maximum supported HTTP major version.
    ///
    /// Supported versions are HTTP/1.1 and HTTP/2.
@ -588,6 +630,43 @@ where
                Some(actix_service::boxed::rc_service(tls_service))
            }
            #[cfg(any(
                feature = "rustls-0_23-webpki-roots",
                feature = "rustls-0_23-native-roots",
            ))]
            OurTlsConnector::Rustls023(tls) => {
                const H2: &[u8] = b"h2";
                use actix_tls::connect::rustls_0_23::{reexports::AsyncTlsStream, TlsConnector};
                #[allow(non_local_definitions)]
                impl<Io: ConnectionIo> IntoConnectionIo for TcpConnection<Uri, AsyncTlsStream<Io>> {
                    fn into_connection_io(self) -> (Box<dyn ConnectionIo>, Protocol) {
                        let sock = self.into_parts().0;
                        let h2 = sock
                            .get_ref()
                            .1
                            .alpn_protocol()
                            .map_or(false, |protos| protos.windows(2).any(|w| w == H2));
                        if h2 {
                            (Box::new(sock), Protocol::Http2)
                        } else {
                            (Box::new(sock), Protocol::Http1)
                        }
                    }
                }
                let handshake_timeout = self.config.handshake_timeout;
                let tls_service = TlsConnectorService {
                    tcp_service: tcp_service_inner,
                    tls_service: TlsConnector::service(tls),
                    timeout: handshake_timeout,
                };
                Some(actix_service::boxed::rc_service(tls_service))
            }
        };
        let tcp_config = self.config.no_disconnect_timeout();