From 8caa8d741a48d3301d5eeb943624fb8947d8046a Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Fri, 27 Mar 2026 16:00:09 -0400 Subject: [PATCH 1/7] use `ring` for non-fips builds fips builds still use `aws-lc-rs` --- Cargo.lock | 81 ++++++++--------------------- libdd-common/Cargo.toml | 29 +++++------ libdd-common/src/connector/mod.rs | 14 ++--- libdd-profiling/Cargo.toml | 14 +++-- libdd-profiling/src/exporter/tls.rs | 20 +++---- 5 files changed, 49 insertions(+), 109 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b4063659e2..0da7b6ce38 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -353,9 +353,9 @@ checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "aws-lc-fips-sys" -version = "0.13.5" +version = "0.13.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d9c2e952a1f57e8cbc78b058a968639e70c4ce8b9c0a5e6363d4e5670eed795" +checksum = "f8bce4948d2520386c6d92a6ea2d472300257702242e5a1d01d6add52bd2e7c1" dependencies = [ "bindgen", "cc", @@ -378,9 +378,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.39.1" +version = "0.39.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83a25cf98105baa966497416dbd42565ce3a8cf8dbfd59803ec9ad46f3126399" +checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a" dependencies = [ "cc", "cmake", @@ -491,25 +491,22 @@ dependencies = [ [[package]] name = "bindgen" -version = "0.69.5" +version = "0.72.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088" +checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895" dependencies = [ "bitflags", "cexpr", "clang-sys", - "itertools 0.11.0", - "lazy_static", - "lazycell", + "itertools", "log", "prettyplease", "proc-macro2", "quote", "regex", - "rustc-hash 1.1.0", + "rustc-hash 2.1.1", "shlex", "syn 2.0.87", - "which", ] [[package]] @@ -810,9 +807,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.58" +version = "1.2.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1" +checksum = "7a0dd1ca384932ff3641c8718a02769f1698e7563dc6974ffd03346116310423" dependencies = [ "find-msvc-tools", "jobserver", @@ -950,9 +947,9 @@ checksum = "1462739cb27611015575c0c11df5df7601141071f07518d56fcc1be504cbec97" [[package]] name = "cmake" -version = "0.1.58" +version = "0.1.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678" +checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d" dependencies = [ "cc", ] @@ -1134,7 +1131,7 @@ dependencies = [ "criterion-plot", "csv", "is-terminal", - "itertools 0.10.5", + "itertools", "num-traits", "once_cell", "oorandom", @@ -1155,7 +1152,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6b50826342786a51a89e2da3a28f1c32b06e387201bc2d19791f622c673706b1" dependencies = [ "cast", - "itertools 0.10.5", + "itertools", ] [[package]] @@ -2325,15 +2322,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "home" -version = "0.5.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" -dependencies = [ - "windows-sys 0.52.0", -] - [[package]] name = "http" version = "1.1.0" @@ -2763,15 +2751,6 @@ dependencies = [ "either", ] -[[package]] -name = "itertools" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57" -dependencies = [ - "either", -] - [[package]] name = "itoa" version = "1.0.11" @@ -2844,12 +2823,6 @@ version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" -[[package]] -name = "lazycell" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" - [[package]] name = "libc" version = "0.2.178" @@ -4291,7 +4264,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7" dependencies = [ "heck 0.5.0", - "itertools 0.11.0", + "itertools", "log", "multimap", "petgraph", @@ -4310,7 +4283,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b" dependencies = [ "anyhow", - "itertools 0.11.0", + "itertools", "proc-macro2", "quote", "syn 2.0.87", @@ -4471,7 +4444,7 @@ dependencies = [ "quinn-udp", "rustc-hash 2.1.1", "rustls", - "socket2 0.6.1", + "socket2 0.5.10", "thiserror 2.0.17", "tokio", "tracing", @@ -4480,9 +4453,9 @@ dependencies = [ [[package]] name = "quinn-proto" -version = "0.11.13" +version = "0.11.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" dependencies = [ "aws-lc-rs", "bytes", @@ -4509,9 +4482,9 @@ dependencies = [ "cfg_aliases", "libc", "once_cell", - "socket2 0.6.1", + "socket2 0.5.10", "tracing", - "windows-sys 0.60.2", + "windows-sys 0.52.0", ] [[package]] @@ -6471,18 +6444,6 @@ dependencies = [ "rustls-pki-types", ] -[[package]] -name = "which" -version = "4.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" -dependencies = [ - "either", - "home", - "once_cell", - "rustix 0.38.39", -] - [[package]] name = "widestring" version = "1.2.1" diff --git a/libdd-common/Cargo.toml b/libdd-common/Cargo.toml index 6c7ed2f912..82c20b631a 100644 --- a/libdd-common/Cargo.toml +++ b/libdd-common/Cargo.toml @@ -33,13 +33,24 @@ regex = "1.5" # Use hickory-dns instead of the default system DNS resolver to avoid fork safety issues. # The default resolver can hold locks or other global state that can cause deadlocks # or corruption when the process forks (e.g., in PHP-FPM or other forking environments). -reqwest = { version = "0.13.2", features = ["rustls", "hickory-dns"], default-features = false, optional = true } +# Use rustls-no-provider instead of rustls to avoid reqwest forcing aws-lc-rs as the crypto +# backend. We install the ring provider explicitly in connector/mod.rs instead. +reqwest = { version = "0.13.2", features = ["rustls-no-provider", "hickory-dns"], default-features = false, optional = true } rustls-native-certs = { version = "0.8.1", optional = true } thiserror = "1.0" tokio-rustls = { version = "0.26", default-features = false, optional = true } serde = { version = "1.0", features = ["derive"] } static_assertions = "1.1.0" const_format = "0.2.34" +# Use ring as the default crypto provider for non-FIPS builds on all platforms. +# FIPS builds activate aws-lc-rs via the hyper-rustls/fips feature instead. +rustls = { version = "0.23.37", default-features = false, optional = true, features = ["ring"] } +hyper-rustls = { version = "0.27.7", default-features = false, features = [ + "native-tokio", + "http1", + "tls12", + "ring", +], optional = true } [target.'cfg(not(target_arch = "wasm32"))'.dependencies] hyper = { workspace = true } @@ -63,22 +74,6 @@ features = [ [target.'cfg(unix)'.dependencies] nix = { version = "0.29", features = ["process"] } -rustls = { version = "0.23.37", default-features = false, optional = true, features = ["aws-lc-rs"] } -hyper-rustls = { version = "0.27.7", default-features = false, features = [ - "native-tokio", - "http1", - "tls12", - "aws-lc-rs", -], optional = true } - -[target.'cfg(not(unix))'.dependencies] -rustls = { version = "0.23.37", default-features = false, optional = true, features = ["ring"] } -hyper-rustls = { version = "0.27.7", default-features = false, features = [ - "native-tokio", - "http1", - "tls12", - "ring", -], optional = true } [dev-dependencies] httparse = "1.9" diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs index f9de461b9c..3da4a64f79 100644 --- a/libdd-common/src/connector/mod.rs +++ b/libdd-common/src/connector/mod.rs @@ -88,11 +88,8 @@ mod https { use rustls::ClientConfig; - /// When using aws-lc-rs, rustls needs to be initialized with the default CryptoProvider; - /// sometimes this is done as a side-effect of other operations, but we need to ensure it - /// happens here. On non-unix platforms, ddcommon uses `ring` instead, which handles this - /// at rustls initialization. - /// In fips mode we expect someone to have done this already. + /// Ensures the rustls default CryptoProvider is installed (ring for non-FIPS). + /// In FIPS mode, the caller must install the FIPS provider before any TLS use. #[cfg(any(not(feature = "fips"), coverage))] fn ensure_crypto_provider_initialized() { use std::sync::Once; @@ -100,15 +97,12 @@ mod https { static INIT_CRYPTO_PROVIDER: Once = Once::new(); INIT_CRYPTO_PROVIDER.call_once(|| { - #[cfg(unix)] - let _ = rustls::crypto::aws_lc_rs::default_provider().install_default(); - #[cfg(not(unix))] let _ = rustls::crypto::ring::default_provider().install_default(); }); } - // This actually needs to be done by the user somewhere in their own main. This will only - // be active on Unix platforms + /// In FIPS mode, the caller must install the FIPS-compliant crypto provider + /// (e.g., aws-lc-rs FIPS) before any TLS connections are established. #[cfg(all(feature = "fips", not(coverage)))] fn ensure_crypto_provider_initialized() {} diff --git a/libdd-profiling/Cargo.toml b/libdd-profiling/Cargo.toml index 4422e4a7da..67c114ef20 100644 --- a/libdd-profiling/Cargo.toml +++ b/libdd-profiling/Cargo.toml @@ -50,11 +50,13 @@ parking_lot = { version = "0.12", default-features = false } prost = "0.14.1" rand = "0.8" # Use rustls to align with the rest of the workspace (libdd-common, libdd-telemetry, etc.) -# This uses the same TLS stack (rustls + aws-lc-rs/ring) as other crates +# Non-FIPS builds use ring as the crypto provider; FIPS builds use aws-lc-rs. # Use hickory-dns instead of the default system DNS resolver to avoid fork safety issues. # The default resolver can hold locks or other global state that can cause deadlocks # or corruption when the process forks (e.g., in PHP-FPM or other forking environments). -reqwest = { version = "0.13.2", features = ["multipart", "rustls", "hickory-dns"], default-features = false} +# Use rustls-no-provider instead of rustls to avoid reqwest forcing aws-lc-rs as the crypto +# backend. We install the ring provider explicitly via tls.rs / libdd-common instead. +reqwest = { version = "0.13.2", features = ["multipart", "rustls-no-provider", "hickory-dns"], default-features = false} rustls-platform-verifier = "0.6" rustc-hash = { version = "1.1", default-features = false } serde = {version = "1.0", features = ["derive"]} @@ -64,12 +66,8 @@ thiserror = "2" tokio = {version = "1.23", features = ["rt", "macros", "net", "io-util", "fs"]} tokio-util = { version = "0.7.1", default-features = false } zstd = { version = "0.13", default-features = false } - -# aws-lc-rs is preferred on Unix; ring is used on Windows where aws-lc-rs has build issues. -[target.'cfg(unix)'.dependencies] -rustls = { version = "0.23.37", default-features = false, features = ["aws-lc-rs"] } - -[target.'cfg(not(unix))'.dependencies] +# ring is the crypto provider for non-FIPS builds on all platforms. +# FIPS builds activate aws-lc-rs via the rustls/fips feature instead. rustls = { version = "0.23.37", default-features = false, features = ["ring"] } [dev-dependencies] diff --git a/libdd-profiling/src/exporter/tls.rs b/libdd-profiling/src/exporter/tls.rs index dd9369683d..35742a5549 100644 --- a/libdd-profiling/src/exporter/tls.rs +++ b/libdd-profiling/src/exporter/tls.rs @@ -39,9 +39,8 @@ impl TlsConfig { // Use an explicit CryptoProvider rather than relying on // `CryptoProvider::get_default_or_install_from_crate_features()`. - // Feature unification can enable both `aws-lc-rs` and `ring` in the - // same build (reqwest enables aws-lc-rs while libdd-common enables - // ring on Windows), which causes the automatic detection to panic. + // Feature unification may enable multiple crypto backends in the same + // build, which causes the automatic detection to panic. let provider = rustls::crypto::CryptoProvider::get_default() .cloned() .unwrap_or_else(|| std::sync::Arc::new(Self::default_crypto_provider())); @@ -53,19 +52,12 @@ impl TlsConfig { Ok(Self(config)) } - /// Returns the platform-appropriate default crypto provider. + /// Returns the default crypto provider (ring for non-FIPS builds). /// - /// Matches the convention used by `libdd-common`: `aws-lc-rs` on Unix, - /// `ring` on Windows (where `aws-lc-rs` has issues). + /// Matches the convention used by `libdd-common`: ring on all platforms + /// for non-FIPS. FIPS builds install the aws-lc-rs FIPS provider externally. fn default_crypto_provider() -> rustls::crypto::CryptoProvider { - #[cfg(unix)] - { - rustls::crypto::aws_lc_rs::default_provider() - } - #[cfg(not(unix))] - { - rustls::crypto::ring::default_provider() - } + rustls::crypto::ring::default_provider() } } From 2f2ade1bca6d0a4d94b348acca9190582032a727 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Fri, 27 Mar 2026 16:34:44 -0400 Subject: [PATCH 2/7] tests need to explicitly install rings crypto provider since rustls-no-provider doesnt auto-install one --- libdd-common/tests/reqwest_builder_test.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libdd-common/tests/reqwest_builder_test.rs b/libdd-common/tests/reqwest_builder_test.rs index 541e435261..b0166aaf0f 100644 --- a/libdd-common/tests/reqwest_builder_test.rs +++ b/libdd-common/tests/reqwest_builder_test.rs @@ -8,6 +8,12 @@ mod tests { }; use libdd_common::Endpoint; + /// With rustls-no-provider, reqwest does not auto-install a crypto provider. + /// Tests that build a reqwest client must ensure one is installed first. + fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); + } + /// Helper to send a simple HTTP request and return the response async fn send_request( client: reqwest::Client, @@ -26,6 +32,7 @@ mod tests { #[tokio::test] #[cfg_attr(miri, ignore)] async fn test_file_dump_captures_http_request() { + ensure_crypto_provider(); let file_path = create_temp_file_path("libdd_common_test", "http"); // Create endpoint with file:// scheme @@ -89,6 +96,7 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] fn test_both_resolver_configs_build_client() { + ensure_crypto_provider(); let url = "http://example.com/"; for use_system_resolver in [false, true] { let endpoint = Endpoint::from_slice(url).with_system_resolver(use_system_resolver); @@ -150,6 +158,7 @@ mod tests { /// alive, drop client, drop runtime, then count threads after drop. Returns (threads_alive, /// threads_after_drop). fn run_resolver_phase(url_slice: &str, use_system_resolver: bool) -> (usize, usize) { + ensure_crypto_provider(); let rt = tokio::runtime::Builder::new_current_thread() .enable_all() .build() From fb7d601e37eb30292ba25b541d6ca581390db21a Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Mon, 30 Mar 2026 12:58:12 -0400 Subject: [PATCH 3/7] fix: switch libdd-http-client reqwest to rustls-no-provider New crate from #1624 used reqwest?/rustls which re-introduced aws-lc-rs. Switch to rustls-no-provider to match the rest of the workspace. --- libdd-http-client/Cargo.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libdd-http-client/Cargo.toml b/libdd-http-client/Cargo.toml index de0531c825..f01459698a 100644 --- a/libdd-http-client/Cargo.toml +++ b/libdd-http-client/Cargo.toml @@ -14,7 +14,9 @@ bench = false [features] default = ["https", "reqwest-backend"] -https = ["dep:reqwest", "reqwest?/rustls", "libdd-common?/https"] +# Use rustls-no-provider to avoid reqwest forcing aws-lc-rs. Ring provider is +# installed explicitly by libdd-common's connector init. +https = ["dep:reqwest", "reqwest?/rustls-no-provider", "libdd-common?/https"] reqwest-backend = ["dep:reqwest", "reqwest?/hickory-dns", "reqwest?/multipart"] hyper-backend = ["dep:libdd-common", "dep:hyper", "dep:hyper-util", "dep:http-body-util"] fips = ["dep:reqwest", "reqwest?/rustls-no-provider", "dep:rustls", "rustls?/aws-lc-rs"] From d5f5292e0c7f55ed19913f9b9bb9cbcf313d2efc Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Mon, 30 Mar 2026 15:21:30 -0400 Subject: [PATCH 4/7] fix: pin rustls-native-certs to <0.8.3 Version 0.8.3+ pulls in openssl-probe@0.2 which probes multiple certificate directories and parses individual cert files instead of loading a single bundle, adding unnecessary I/O overhead in latency-sensitive environments. --- libdd-common/Cargo.toml | 5 ++++- libdd-http-client/Cargo.toml | 1 + libdd-http-client/src/client.rs | 7 +++++++ libdd-http-client/src/config.rs | 7 +++++++ libdd-http-client/tests/connection_pool.rs | 6 ++++++ libdd-http-client/tests/http_round_trip.rs | 10 ++++++++++ libdd-http-client/tests/multipart_test.rs | 6 ++++++ libdd-http-client/tests/retry_test.rs | 10 ++++++++++ libdd-http-client/tests/timeout_test.rs | 7 +++++++ libdd-http-client/tests/uds_round_trip.rs | 5 +++++ libdd-http-client/tests/windows_named_pipe.rs | 6 ++++++ 11 files changed, 69 insertions(+), 1 deletion(-) diff --git a/libdd-common/Cargo.toml b/libdd-common/Cargo.toml index 82c20b631a..49b4faa659 100644 --- a/libdd-common/Cargo.toml +++ b/libdd-common/Cargo.toml @@ -36,7 +36,10 @@ regex = "1.5" # Use rustls-no-provider instead of rustls to avoid reqwest forcing aws-lc-rs as the crypto # backend. We install the ring provider explicitly in connector/mod.rs instead. reqwest = { version = "0.13.2", features = ["rustls-no-provider", "hickory-dns"], default-features = false, optional = true } -rustls-native-certs = { version = "0.8.1", optional = true } +# Pinned to <0.8.3: version 0.8.3+ pulls in openssl-probe@0.2 which probes multiple +# certificate directories and parses individual cert files instead of loading a single +# bundle, adding unnecessary I/O overhead in latency-sensitive environments. +rustls-native-certs = { version = ">=0.8.1, <0.8.3", optional = true } thiserror = "1.0" tokio-rustls = { version = "0.26", default-features = false, optional = true } serde = { version = "1.0", features = ["derive"] } diff --git a/libdd-http-client/Cargo.toml b/libdd-http-client/Cargo.toml index f01459698a..e4ba0b4f3d 100644 --- a/libdd-http-client/Cargo.toml +++ b/libdd-http-client/Cargo.toml @@ -36,5 +36,6 @@ http-body-util = { version = "0.1", optional = true } [dev-dependencies] httpmock = "0.8.0-alpha.1" +rustls = { version = "0.23", default-features = false, features = ["ring"] } tokio = { version = "1.23", features = ["rt", "macros", "io-util", "net"] } tempfile = "3" diff --git a/libdd-http-client/src/client.rs b/libdd-http-client/src/client.rs index e730ce90c9..3ca22dae3c 100644 --- a/libdd-http-client/src/client.rs +++ b/libdd-http-client/src/client.rs @@ -104,8 +104,13 @@ impl HttpClient { mod tests { use super::*; + fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); + } + #[test] fn new_creates_client() { + ensure_crypto_provider(); let client = HttpClient::new("http://localhost:8126".to_owned(), Duration::from_secs(3)); assert!(client.is_ok()); let client = client.unwrap(); @@ -115,6 +120,7 @@ mod tests { #[test] fn builder_creates_client() { + ensure_crypto_provider(); let client = HttpClient::builder() .base_url("http://localhost:8126".to_owned()) .timeout(Duration::from_secs(5)) @@ -127,6 +133,7 @@ mod tests { #[cfg_attr(miri, ignore)] #[tokio::test] async fn send_returns_error_when_no_server() { + ensure_crypto_provider(); let client = HttpClient::new("http://localhost".to_owned(), Duration::from_secs(1)).unwrap(); let req = crate::HttpRequest::new( diff --git a/libdd-http-client/src/config.rs b/libdd-http-client/src/config.rs index 1b69934b85..c78bf20717 100644 --- a/libdd-http-client/src/config.rs +++ b/libdd-http-client/src/config.rs @@ -161,6 +161,10 @@ impl HttpClientBuilder { mod tests { use super::*; + fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); + } + #[test] fn config_getters() { let config = @@ -196,6 +200,7 @@ mod tests { #[test] fn builder_success() { + ensure_crypto_provider(); let client = HttpClientBuilder::new() .base_url("http://localhost:8126".to_owned()) .timeout(Duration::from_secs(3)) @@ -205,6 +210,7 @@ mod tests { #[test] fn builder_treat_http_errors_defaults_true() { + ensure_crypto_provider(); let client = HttpClientBuilder::new() .base_url("http://localhost".to_owned()) .timeout(Duration::from_secs(1)) @@ -215,6 +221,7 @@ mod tests { #[test] fn builder_treat_http_errors_set_false() { + ensure_crypto_provider(); let client = HttpClientBuilder::new() .base_url("http://localhost".to_owned()) .timeout(Duration::from_secs(1)) diff --git a/libdd-http-client/tests/connection_pool.rs b/libdd-http-client/tests/connection_pool.rs index 00259b6d04..eb0ca95bd0 100644 --- a/libdd-http-client/tests/connection_pool.rs +++ b/libdd-http-client/tests/connection_pool.rs @@ -5,9 +5,14 @@ use httpmock::prelude::*; use libdd_http_client::{HttpClient, HttpMethod, HttpRequest}; use std::time::Duration; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_multiple_requests_reuse_client() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -38,6 +43,7 @@ async fn test_multiple_requests_reuse_client() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_concurrent_requests_succeed() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server diff --git a/libdd-http-client/tests/http_round_trip.rs b/libdd-http-client/tests/http_round_trip.rs index d551328592..e2a275d953 100644 --- a/libdd-http-client/tests/http_round_trip.rs +++ b/libdd-http-client/tests/http_round_trip.rs @@ -5,9 +5,14 @@ use httpmock::prelude::*; use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest}; use std::time::Duration; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_post_round_trip() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -34,6 +39,7 @@ async fn test_post_round_trip() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_get_round_trip() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -59,6 +65,7 @@ async fn test_get_round_trip() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_response_headers_returned() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -89,6 +96,7 @@ async fn test_response_headers_returned() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_4xx_returns_request_failed() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server @@ -115,6 +123,7 @@ async fn test_4xx_returns_request_failed() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_4xx_returns_ok_when_errors_disabled() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server @@ -141,6 +150,7 @@ async fn test_4xx_returns_ok_when_errors_disabled() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_5xx_returns_request_failed() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server diff --git a/libdd-http-client/tests/multipart_test.rs b/libdd-http-client/tests/multipart_test.rs index eb92f95be6..a9a5c20594 100644 --- a/libdd-http-client/tests/multipart_test.rs +++ b/libdd-http-client/tests/multipart_test.rs @@ -5,9 +5,14 @@ use httpmock::prelude::*; use libdd_http_client::{HttpClient, HttpMethod, HttpRequest, MultipartPart}; use std::time::Duration; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_multipart_upload() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -39,6 +44,7 @@ async fn test_multipart_upload() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_multipart_sets_content_type() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server diff --git a/libdd-http-client/tests/retry_test.rs b/libdd-http-client/tests/retry_test.rs index 71c5b3aec9..34807e422f 100644 --- a/libdd-http-client/tests/retry_test.rs +++ b/libdd-http-client/tests/retry_test.rs @@ -5,9 +5,14 @@ use httpmock::prelude::*; use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest, RetryConfig}; use std::time::Duration; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_retries_on_503() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -43,6 +48,7 @@ async fn test_retries_on_503() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_retries_on_404() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -78,6 +84,7 @@ async fn test_retries_on_404() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_no_retry_when_not_configured() { + ensure_crypto_provider(); let server = MockServer::start_async().await; let mock = server @@ -101,6 +108,7 @@ async fn test_no_retry_when_not_configured() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_succeeds_after_transient_failure() { + ensure_crypto_provider(); let server = MockServer::start_async().await; // First two calls return 503, third returns 200 @@ -139,6 +147,7 @@ async fn test_succeeds_after_transient_failure() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_retries_on_connection_error() { + ensure_crypto_provider(); // Port 1 — nothing listening let client = HttpClient::builder() .base_url("http://127.0.0.1:1".to_owned()) @@ -161,6 +170,7 @@ async fn test_retries_on_connection_error() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_backoff_increases() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server diff --git a/libdd-http-client/tests/timeout_test.rs b/libdd-http-client/tests/timeout_test.rs index df7f05209d..e3ac080377 100644 --- a/libdd-http-client/tests/timeout_test.rs +++ b/libdd-http-client/tests/timeout_test.rs @@ -5,9 +5,14 @@ use httpmock::prelude::*; use libdd_http_client::{HttpClient, HttpClientError, HttpMethod, HttpRequest}; use std::time::Duration; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_request_times_out() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server @@ -31,6 +36,7 @@ async fn test_request_times_out() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_per_request_timeout_overrides_client() { + ensure_crypto_provider(); let server = MockServer::start_async().await; server @@ -57,6 +63,7 @@ async fn test_per_request_timeout_overrides_client() { #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_connection_refused() { + ensure_crypto_provider(); // Use port 1 which is very unlikely to have a listener. let client = HttpClient::new("http://127.0.0.1:1".to_owned(), Duration::from_secs(1)).unwrap(); diff --git a/libdd-http-client/tests/uds_round_trip.rs b/libdd-http-client/tests/uds_round_trip.rs index c5bc12b56c..a8204ad791 100644 --- a/libdd-http-client/tests/uds_round_trip.rs +++ b/libdd-http-client/tests/uds_round_trip.rs @@ -10,9 +10,14 @@ use std::time::Duration; use tokio::io::{AsyncReadExt, AsyncWriteExt}; use tokio::net::UnixListener; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_uds_round_trip() { + ensure_crypto_provider(); let dir = tempfile::tempdir().unwrap(); let socket_path = dir.path().join("test.sock"); diff --git a/libdd-http-client/tests/windows_named_pipe.rs b/libdd-http-client/tests/windows_named_pipe.rs index c92907a3b2..a5b7fd62b5 100644 --- a/libdd-http-client/tests/windows_named_pipe.rs +++ b/libdd-http-client/tests/windows_named_pipe.rs @@ -8,9 +8,14 @@ use std::time::Duration; use tokio::io::{AsyncReadExt, AsyncWriteExt}; use tokio::net::windows::named_pipe::ServerOptions; +fn ensure_crypto_provider() { + let _ = rustls::crypto::ring::default_provider().install_default(); +} + #[cfg_attr(miri, ignore)] #[tokio::test] async fn test_named_pipe_round_trip() { + ensure_crypto_provider(); let pipe_name = format!( r"\\.\pipe\dd_http_client_test_{}_{}", std::process::id(), @@ -49,6 +54,7 @@ async fn test_named_pipe_round_trip() { #[test] fn test_named_pipe_client_constructs() { + ensure_crypto_provider(); let client = HttpClient::builder() .base_url("http://localhost".to_owned()) .timeout(Duration::from_secs(5)) From be01b30d12e076caa7f05f4897012b0fc2ec57d9 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Wed, 1 Apr 2026 22:03:02 -0400 Subject: [PATCH 5/7] chore: regenerate LICENSE-3rdparty.csv after removing aws-lc-rs deps --- Cargo.lock | 76 -------------------------------------------- LICENSE-3rdparty.csv | 8 ----- 2 files changed, 84 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0da7b6ce38..8856700ba1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2075,11 +2075,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73fea8450eea4bac3940448fb7ae50d91f034f941199fcd9d909a5a07aa455f0" dependencies = [ "cfg-if", - "js-sys", "libc", "r-efi", "wasi 0.14.2+wasi-0.2.4", - "wasm-bindgen", ] [[package]] @@ -3446,12 +3444,6 @@ dependencies = [ "value-bag", ] -[[package]] -name = "lru-slab" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" - [[package]] name = "manual_future" version = "0.1.1" @@ -4431,62 +4423,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "quinn" -version = "0.11.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20" -dependencies = [ - "bytes", - "cfg_aliases", - "pin-project-lite", - "quinn-proto", - "quinn-udp", - "rustc-hash 2.1.1", - "rustls", - "socket2 0.5.10", - "thiserror 2.0.17", - "tokio", - "tracing", - "web-time", -] - -[[package]] -name = "quinn-proto" -version = "0.11.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" -dependencies = [ - "aws-lc-rs", - "bytes", - "getrandom 0.3.2", - "lru-slab", - "rand 0.9.0", - "ring", - "rustc-hash 2.1.1", - "rustls", - "rustls-pki-types", - "slab", - "thiserror 2.0.17", - "tinyvec", - "tracing", - "web-time", -] - -[[package]] -name = "quinn-udp" -version = "0.5.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd" -dependencies = [ - "cfg_aliases", - "libc", - "once_cell", - "socket2 0.5.10", - "tracing", - "windows-sys 0.52.0", -] - [[package]] name = "quote" version = "1.0.37" @@ -4681,7 +4617,6 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "quinn", "rustls", "rustls-pki-types", "rustls-platform-verifier", @@ -4844,7 +4779,6 @@ version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282" dependencies = [ - "web-time", "zeroize", ] @@ -6416,16 +6350,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "web-time" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - [[package]] name = "webpki-root-certs" version = "1.0.5" diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv index 8474b7764c..71b01b6ed6 100644 --- a/LICENSE-3rdparty.csv +++ b/LICENSE-3rdparty.csv @@ -175,7 +175,6 @@ hermit-abi,https://github.com/hermit-os/hermit-rs,MIT OR Apache-2.0,Stefan Lanke hex,https://github.com/KokaKiwi/rust-hex,MIT OR Apache-2.0,KokaKiwi hickory-proto,https://github.com/hickory-dns/hickory-dns,MIT OR Apache-2.0,The contributors to Hickory DNS hickory-resolver,https://github.com/hickory-dns/hickory-dns,MIT OR Apache-2.0,The contributors to Hickory DNS -home,https://github.com/rust-lang/cargo,MIT OR Apache-2.0,Brian Anderson http,https://github.com/hyperium/http,MIT OR Apache-2.0,"Alex Crichton , Carl Lerche , Sean McArthur " http-body,https://github.com/hyperium/http-body,MIT,"Carl Lerche , Lucio Franco , Sean McArthur " http-body-util,https://github.com/hyperium/http-body,MIT,"Carl Lerche , Lucio Franco , Sean McArthur " @@ -220,7 +219,6 @@ js-sys,https://github.com/rustwasm/wasm-bindgen/tree/master/crates/js-sys,MIT OR kernel32-sys,https://github.com/retep998/winapi-rs,MIT,Peter Atashian kv-log-macro,https://github.com/yoshuawuyts/kv-log-macro,MIT OR Apache-2.0,Yoshua Wuyts lazy_static,https://github.com/rust-lang-nursery/lazy-static.rs,MIT OR Apache-2.0,Marvin Löbel -lazycell,https://github.com/indiv0/lazycell,MIT OR Apache-2.0,"Alex Crichton , Nikita Pekin " libc,https://github.com/rust-lang/libc,MIT OR Apache-2.0,The Rust Project Developers libloading,https://github.com/nagisa/rust_libloading,ISC,Simonas Kazlauskas libredox,https://gitlab.redox-os.org/redox-os/libredox,MIT,4lDO2 <4lDO2@protonmail.com> @@ -230,7 +228,6 @@ linux-raw-sys,https://github.com/sunfishcode/linux-raw-sys,Apache-2.0 WITH LLVM- litemap,https://github.com/unicode-org/icu4x,Unicode-3.0,The ICU4X Project Developers lock_api,https://github.com/Amanieu/parking_lot,MIT OR Apache-2.0,Amanieu d'Antras log,https://github.com/rust-lang/log,MIT OR Apache-2.0,The Rust Project Developers -lru-slab,https://github.com/Ralith/lru-slab,MIT OR Apache-2.0 OR Zlib,Benjamin Saunders manual_future,https://github.com/dmarcuse/manual_future,MIT,Dominic Marcuse matchers,https://github.com/hawkw/matchers,MIT,Eliza Weisman matchit,https://github.com/ibraheemdev/matchit,MIT AND BSD-3-Clause,Ibraheem Ahmed @@ -323,9 +320,6 @@ pyo3-macros,https://github.com/pyo3/pyo3,MIT OR Apache-2.0,PyO3 Project and Cont pyo3-macros-backend,https://github.com/pyo3/pyo3,MIT OR Apache-2.0,PyO3 Project and Contributors quick-error,http://github.com/tailhook/quick-error,MIT OR Apache-2.0,"Paul Colomiets , Colin Kiegel " quick-xml,https://github.com/tafia/quick-xml,MIT,The quick-xml Authors -quinn,https://github.com/quinn-rs/quinn,MIT OR Apache-2.0,The quinn Authors -quinn-proto,https://github.com/quinn-rs/quinn,MIT OR Apache-2.0,The quinn-proto Authors -quinn-udp,https://github.com/quinn-rs/quinn,MIT OR Apache-2.0,The quinn-udp Authors quote,https://github.com/dtolnay/quote,MIT OR Apache-2.0,David Tolnay r-efi,https://github.com/r-efi/r-efi,MIT OR Apache-2.0 OR LGPL-2.1-or-later,The r-efi Authors rand,https://github.com/rust-random/rand,MIT OR Apache-2.0,"The Rand Project Developers, The Rust Project Developers" @@ -499,10 +493,8 @@ wasm-bindgen-macro,https://github.com/rustwasm/wasm-bindgen/tree/master/crates/m wasm-bindgen-macro-support,https://github.com/rustwasm/wasm-bindgen/tree/master/crates/macro-support,MIT OR Apache-2.0,The wasm-bindgen Developers wasm-bindgen-shared,https://github.com/rustwasm/wasm-bindgen/tree/master/crates/shared,MIT OR Apache-2.0,The wasm-bindgen Developers web-sys,https://github.com/rustwasm/wasm-bindgen/tree/master/crates/web-sys,MIT OR Apache-2.0,The wasm-bindgen Developers -web-time,https://github.com/daxpedda/web-time,MIT OR Apache-2.0,The web-time Authors webpki-root-certs,https://github.com/rustls/webpki-roots,CDLA-Permissive-2.0,The webpki-root-certs Authors webpki-roots,https://github.com/rustls/webpki-roots,CDLA-Permissive-2.0,The webpki-roots Authors -which,https://github.com/harryfei/which-rs,MIT,Harry Fei widestring,https://github.com/VoidStarKat/widestring-rs,MIT OR Apache-2.0,The widestring Authors winapi,https://github.com/retep998/winapi-rs,MIT,Peter Atashian winapi,https://github.com/retep998/winapi-rs,MIT OR Apache-2.0,Peter Atashian From b47664a93640105a4dec765a444bf6f305232f38 Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Thu, 2 Apr 2026 16:18:25 -0400 Subject: [PATCH 6/7] fix: propagate fips feature from libdd-http-client to libdd-common Without this, FIPS builds through libdd-http-client's hyper backend would use libdd-common's default connector which installs ring. Propagating fips ensures libdd-common skips ring init and uses the FIPS-compliant hyper-rustls/fips path instead. --- libdd-http-client/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libdd-http-client/Cargo.toml b/libdd-http-client/Cargo.toml index e4ba0b4f3d..a8a87b6305 100644 --- a/libdd-http-client/Cargo.toml +++ b/libdd-http-client/Cargo.toml @@ -19,7 +19,7 @@ default = ["https", "reqwest-backend"] https = ["dep:reqwest", "reqwest?/rustls-no-provider", "libdd-common?/https"] reqwest-backend = ["dep:reqwest", "reqwest?/hickory-dns", "reqwest?/multipart"] hyper-backend = ["dep:libdd-common", "dep:hyper", "dep:hyper-util", "dep:http-body-util"] -fips = ["dep:reqwest", "reqwest?/rustls-no-provider", "dep:rustls", "rustls?/aws-lc-rs"] +fips = ["dep:reqwest", "reqwest?/rustls-no-provider", "dep:rustls", "rustls?/aws-lc-rs", "libdd-common?/fips"] [dependencies] bytes = "1.4" From 449f27cdb1a99c4cf423d42b407fc94e61b4d45e Mon Sep 17 00:00:00 2001 From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com> Date: Thu, 2 Apr 2026 16:33:31 -0400 Subject: [PATCH 7/7] refactor: separate TLS plumbing from crypto provider selection Introduce tls-core feature for TLS plumbing (rustls, hyper-rustls, tokio-rustls, rustls-native-certs) without a crypto provider. The https and fips features now both build on tls-core and add their respective provider: - https = tls-core + ring - fips = tls-core + aws-lc-rs (via hyper-rustls/fips) This ensures FIPS builds only compile aws-lc-rs without ring, avoiding unnecessary binary bloat from shipping both crypto backends. Updated all cfg(feature = "https") gates to cfg(feature = "tls-core") so TLS code compiles under both https and fips features. --- libdd-common/Cargo.toml | 14 ++++++++------ libdd-common/src/connector/conn_stream.rs | 14 +++++++------- libdd-common/src/connector/mod.rs | 14 +++++++------- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/libdd-common/Cargo.toml b/libdd-common/Cargo.toml index 49b4faa659..ae1f2bf164 100644 --- a/libdd-common/Cargo.toml +++ b/libdd-common/Cargo.toml @@ -45,14 +45,13 @@ tokio-rustls = { version = "0.26", default-features = false, optional = true } serde = { version = "1.0", features = ["derive"] } static_assertions = "1.1.0" const_format = "0.2.34" -# Use ring as the default crypto provider for non-FIPS builds on all platforms. -# FIPS builds activate aws-lc-rs via the hyper-rustls/fips feature instead. -rustls = { version = "0.23.37", default-features = false, optional = true, features = ["ring"] } +# Declare rustls and hyper-rustls without a crypto provider. The provider is +# selected via features: `https` enables ring, `fips` enables aws-lc-rs. +rustls = { version = "0.23.37", default-features = false, optional = true } hyper-rustls = { version = "0.27.7", default-features = false, features = [ "native-tokio", "http1", "tls12", - "ring", ], optional = true } [target.'cfg(not(target_arch = "wasm32"))'.dependencies] @@ -91,13 +90,16 @@ tokio = { version = "1.23", features = ["rt", "macros", "time"] } [features] default = ["https"] -https = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-native-certs"] +# TLS plumbing without a crypto provider. Use `https` or `fips` to select one. +tls-core = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-native-certs"] +# Default HTTPS: ring as crypto provider +https = ["tls-core", "rustls/ring", "hyper-rustls/ring"] use_webpki_roots = ["hyper-rustls/webpki-roots"] # Enable this feature to enable stubbing of cgroup # php directly import this crate and uses functions gated by this feature for their test cgroup_testing = [] # FIPS mode uses the FIPS-compliant cryptographic provider (Unix only) -fips = ["https", "hyper-rustls/fips"] +fips = ["tls-core", "hyper-rustls/fips"] # Enable reqwest client builder support with file dump debugging reqwest = ["dep:reqwest", "test-utils"] # Enable test utilities for use in other crates diff --git a/libdd-common/src/connector/conn_stream.rs b/libdd-common/src/connector/conn_stream.rs index 367aade8c9..6fdedfdd56 100644 --- a/libdd-common/src/connector/conn_stream.rs +++ b/libdd-common/src/connector/conn_stream.rs @@ -17,7 +17,7 @@ pub enum ConnStream { #[pin] transport: TokioIo, }, - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] Tls { #[pin] transport: @@ -84,7 +84,7 @@ impl ConnStream { }) } - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] pub fn from_https_connector_with_uri( c: &mut hyper_rustls::HttpsConnector, uri: hyper::Uri, @@ -119,7 +119,7 @@ impl hyper::rt::Read for ConnStream { ) -> Poll> { match self.project() { ConnStreamProj::Tcp { transport } => transport.poll_read(cx, buf), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] ConnStreamProj::Tls { transport } => transport.poll_read(cx, buf), #[cfg(unix)] ConnStreamProj::Udp { transport } => transport.poll_read(cx, buf), @@ -133,7 +133,7 @@ impl connect::Connection for ConnStream { fn connected(&self) -> connect::Connected { match self { Self::Tcp { transport } => transport.connected(), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] Self::Tls { transport } => { let (tcp, _) = transport.inner().get_ref(); tcp.inner().inner().connected() @@ -154,7 +154,7 @@ impl hyper::rt::Write for ConnStream { ) -> Poll> { match self.project() { ConnStreamProj::Tcp { transport } => transport.poll_write(cx, buf), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] ConnStreamProj::Tls { transport } => transport.poll_write(cx, buf), #[cfg(unix)] ConnStreamProj::Udp { transport } => transport.poll_write(cx, buf), @@ -169,7 +169,7 @@ impl hyper::rt::Write for ConnStream { ) -> Poll> { match self.project() { ConnStreamProj::Tcp { transport } => transport.poll_shutdown(cx), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] ConnStreamProj::Tls { transport } => transport.poll_shutdown(cx), #[cfg(unix)] ConnStreamProj::Udp { transport } => transport.poll_shutdown(cx), @@ -181,7 +181,7 @@ impl hyper::rt::Write for ConnStream { fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll> { match self.project() { ConnStreamProj::Tcp { transport } => transport.poll_flush(cx), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] ConnStreamProj::Tls { transport } => transport.poll_flush(cx), #[cfg(unix)] ConnStreamProj::Udp { transport } => transport.poll_flush(cx), diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs index 3da4a64f79..c0307811ea 100644 --- a/libdd-common/src/connector/mod.rs +++ b/libdd-common/src/connector/mod.rs @@ -23,7 +23,7 @@ use conn_stream::{ConnStream, ConnStreamError}; #[derive(Clone)] pub enum Connector { Http(connect::HttpConnector), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] Https(hyper_rustls::HttpsConnector), } @@ -39,7 +39,7 @@ impl Connector { /// Make sure this function is not called frequently. Fetching the root certificates is an /// expensive operation. Access the globally cached connector via Connector::default(). fn new() -> Self { - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] { #[cfg(feature = "use_webpki_roots")] let https_connector_fn = https::build_https_connector_with_webpki_roots; @@ -51,7 +51,7 @@ impl Connector { Err(_) => Connector::Http(connect::HttpConnector::new()), } } - #[cfg(not(feature = "https"))] + #[cfg(not(feature = "tls-core"))] { Connector::Http(connect::HttpConnector::new()) } @@ -73,7 +73,7 @@ impl Connector { ConnStream::from_http_connector_with_uri(c, uri).boxed() } } - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] Self::Https(c) => { ConnStream::from_https_connector_with_uri(c, uri, require_tls).boxed() } @@ -81,7 +81,7 @@ impl Connector { } } -#[cfg(feature = "https")] +#[cfg(feature = "tls-core")] mod https { #[cfg(feature = "use_webpki_roots")] use hyper_rustls::ConfigBuilderExt; @@ -185,7 +185,7 @@ impl tower_service::Service for Connector { fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll> { match self { Connector::Http(c) => c.poll_ready(cx).map_err(|e| e.into()), - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] Connector::Https(c) => c.poll_ready(cx), } } @@ -238,7 +238,7 @@ mod tests { #[test] #[cfg_attr(miri, ignore)] #[cfg(feature = "use_webpki_roots")] - #[cfg(feature = "https")] + #[cfg(feature = "tls-core")] /// Verify that Connector builds an Https connector using webpki certificates /// even when native root certificates are not available. fn test_missing_root_certificates_use_webpki_certificates() {