rtls.rs source code [crates/ureq/src/rtls.rs]

1	use std::convert::TryFrom;
2	use std::fmt;
3	use std::io::{self, Read, Write};
4	use std::net::TcpStream;
5	use std::sync::Arc;
6
7	use once_cell::sync::Lazy;
8
9	use crate::ErrorKind;
10	use crate::{
11	stream::{ReadWrite, TlsConnector},
12	Error,
13	};
14
15	#[allow(deprecated)]
16	fn is_close_notify(e: &std::io::Error) -> bool {
17	if e.kind() != io::ErrorKind::ConnectionAborted {
18	return `false`;
19	}
20
21	if let Some(msg: &(dyn Error + Send + Sync)) = e.get_ref() {
22	// :(
23
24	return msg.description().contains("CloseNotify");
25	}
26
27	`false`
28	}
29
30	struct RustlsStream(rustls::StreamOwned<rustls::ClientConnection, Box<dyn ReadWrite>>);
31
32	impl ReadWrite for RustlsStream {
33	fn socket(&self) -> Option<&TcpStream> {
34	self.0.get_ref().socket()
35	}
36	}
37
38	// TODO: After upgrading to rustls 0.20 or higher, we can remove these Read
39	// and Write impls, leaving only `impl TlsStream for rustls::StreamOwned...`.
40	// Currently we need to implement Read in order to treat close_notify specially.
41	// The next release of rustls will handle close_notify in a more intuitive way.
42	impl Read for RustlsStream {
43	fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
44	match self.0.read(buf) {
45	Ok(size: usize) => Ok(size),
46	Err(ref e: &Error) if is_close_notify(e) => Ok(`0`),
47	Err(e: Error) => Err(e),
48	}
49	}
50	}
51
52	impl Write for RustlsStream {
53	fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
54	self.0.write(buf)
55	}
56
57	fn flush(&mut self) -> io::Result<()> {
58	self.0.flush()
59	}
60	}
61
62	#[cfg(feature = "native-certs")]
63	fn root_certs() -> rustls::RootCertStore {
64	use log::error;
65
66	let mut root_cert_store = rustls::RootCertStore::empty();
67	let native_certs = rustls_native_certs::load_native_certs().unwrap_or_else(\|e\| {
68	error!("loading native certificates: {}", e);
69	vec![]
70	});
71	let (valid_count, invalid_count) =
72	root_cert_store.add_parsable_certificates(native_certs.into_iter().map(\|c\| c.into()));
73	if valid_count == `0` && invalid_count > `0` {
74	error!(
75	"no valid certificates loaded by rustls-native-certs. all HTTPS requests will fail."
76	);
77	}
78	root_cert_store
79	}
80
81	#[cfg(not(feature = "native-certs"))]
82	fn root_certs() -> rustls::RootCertStore {
83	rustls::RootCertStore {
84	roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
85	}
86	}
87
88	impl TlsConnector for Arc<rustls::ClientConfig> {
89	fn connect(
90	&self,
91	dns_name: &str,
92	mut io: Box<dyn ReadWrite>,
93	) -> Result<Box<dyn ReadWrite>, Error> {
94	let dns_name = if dns_name.starts_with('[') && dns_name.ends_with(']') {
95	// rustls doesn't like ipv6 addresses with brackets
96	&dns_name[`1`..dns_name.len() - `1`]
97	} else {
98	dns_name
99	};
100
101	let sni = rustls_pki_types::ServerName::try_from(dns_name)
102	.map_err(\|e\| ErrorKind::Dns.msg(format!("parsing '{}'", dns_name)).src(e))?
103	.to_owned();
104
105	let mut sess = rustls::ClientConnection::new(self.clone(), sni)
106	.map_err(\|e\| ErrorKind::Io.msg("tls connection creation failed").src(e))?;
107
108	sess.complete_io(&mut io).map_err(\|e\| {
109	ErrorKind::ConnectionFailed
110	.msg("tls connection init failed")
111	.src(e)
112	})?;
113	let stream = rustls::StreamOwned::new(sess, io);
114
115	Ok(Box::new(RustlsStream(stream)))
116	}
117	}
118
119	pub fn default_tls_config() -> Arc<dyn TlsConnector> {
120	static TLS_CONF: Lazy<Arc<dyn TlsConnector>> = Lazy::new(\|\| {
121	// `ureq` prefers to use `ring` by default. It unconditionally activates the Rustls
122	// feature for this backend, so we know `rustls::crypto::ring::default_provider()` is
123	// available. We use `builder_with_provider()` instead of `builder()` here to avoid the
124	// risk that the rustls features are ambiguous and no process wide default crypto provider
125	// has been set yet.
126	let config: ClientConfig = rustlsConfigBuilder::ClientConfig::builder_with_provider(
127	rustls::crypto::ring::default_provider().into(),
128	)
129	.with_protocol_versions(&[&rustls::version::TLS12, &rustls::version::TLS13])
130	.unwrap() // Safety: the ring* default provider always configures ciphersuites compatible w/ both TLS 1.2 & TLS 1.3*
131	.with_root_certificates(root_store:root_certs())
132	.with_no_client_auth();
133	Arc::new(data:Arc::new(data:config))
134	});
135	TLS_CONF.clone()
136	}
137
138	impl fmt::Debug for RustlsStream {
139	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
140	f.debug_tuple(name:"RustlsStream").finish()
141	}
142	}
143