expose underlying io error in wisp close reason error, refactor tls config creation

2025-05-12 14:00:01 -04:00 · 2024-11-03 12:47:45 -08:00 · 2024-11-03 12:47:45 -08:00 · 286dcba20a
commit 286dcba20a
parent f3a78a1715
4 changed files with 21 additions and 27 deletions
--- a/client/build.sh
+++ b/client/build.sh
@ -24,9 +24,9 @@ wasm-bindgen --target web --out-dir out/ ../target/wasm32-unknown-unknown/releas
 echo "[epx] wasm-bindgen finished"

 if ! [ "${RELEASE:-0}" = "1" ]; then
-	WASMOPTFLAGS="-g"
+	: "${WASMOPTFLAGS:=-g}"
 else
-	WASMOPTFLAGS=""
+	: "${WASMOPTFLAGS:=}"
 fi

 mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
@ -35,6 +35,7 @@ wasm-opt $WASMOPTFLAGS --signext-lowering out/epoxy_client_unoptimized.wasm -o o
 if [ "${RELEASE:-0}" = "1" ]; then
 	(
 		G="--generate-global-effects"
+		# shellcheck disable=SC2086
 		time wasm-opt $WASMOPTFLAGS \
 			out/epoxy_client_lowered.wasm -o out/epoxy_client_bg.wasm \
 			--converge \
--- a/client/src/lib.rs
+++ b/client/src/lib.rs
@ -99,8 +99,8 @@ pub enum EpoxyError {
 	InvalidDnsName(#[from] futures_rustls::rustls::pki_types::InvalidDnsNameError),
 	#[error("Wisp: {0:?} ({0})")]
 	Wisp(#[from] wisp_mux::WispError),
-	#[error("Wisp server closed: {0}")]
-	WispCloseReason(wisp_mux::CloseReason),
+	#[error("Wisp server closed: {0} (IO error: {1:?} ({1}))")]
+	WispCloseReason(CloseReason, std::io::Error),
 	#[error("IO: {0:?} ({0})")]
 	Io(#[from] std::io::Error),
 	#[error("HTTP: {0:?} ({0})")]
@ -111,6 +111,8 @@ pub enum EpoxyError {
 	Hyper(#[from] hyper::Error),
 	#[error("HTTP ToStr: {0:?} ({0})")]
 	ToStr(#[from] http::header::ToStrError),
+	#[error("Rustls: {0:?} ({0})")]
+	Rustls(#[from] futures_rustls::rustls::Error),
 	#[cfg(feature = "full")]
 	#[error("Pemfile: {0:?} ({0})")]
 	Pemfile(std::io::Error),
@ -218,12 +220,6 @@ impl From<InvalidMethod> for EpoxyError {
 	}
 }

-impl From<CloseReason> for EpoxyError {
-	fn from(value: CloseReason) -> Self {
-		EpoxyError::WispCloseReason(value)
-	}
-}
-
 enum EpoxyResponse {
 	Success(Response<Incoming>),
 	Redirect((Response<Incoming>, http::Request<StreamingBody>)),
--- a/client/src/stream_provider.rs
+++ b/client/src/stream_provider.rs
@ -2,7 +2,7 @@ use std::{io::ErrorKind, pin::Pin, sync::Arc, task::Poll};

 use cfg_if::cfg_if;
 use futures_rustls::{
-	rustls::{crypto::ring::default_provider, ClientConfig, RootCertStore},
+	rustls::{ClientConfig, RootCertStore},
 	TlsConnector,
 };
 use futures_util::{
@ -31,7 +31,9 @@ pub type ProviderUnencryptedAsyncRW = MuxStreamAsyncRW;
 pub type ProviderTlsAsyncRW = IgnoreCloseNotify;
 pub type ProviderAsyncRW = Either<ProviderTlsAsyncRW, ProviderUnencryptedAsyncRW>;
 pub type ProviderWispTransportGenerator = Box<
-	dyn Fn(bool) -> Pin<
+	dyn Fn(
+			bool,
+		) -> Pin<
 			Box<
 				dyn Future<
 						Output = Result<
@ -65,11 +67,14 @@ impl StreamProvider {
 		wisp_generator: ProviderWispTransportGenerator,
 		options: &EpoxyClientOptions,
 	) -> Result<Self, EpoxyError> {
+		let provider = Arc::new(futures_rustls::rustls::crypto::ring::default_provider());
+		let client_config = ClientConfig::builder_with_provider(provider.clone())
+			.with_safe_default_protocol_versions()?;
 		let mut client_config = if options.disable_certificate_validation {
-			ClientConfig::builder()
+			client_config
 				.dangerous()
-				.with_custom_certificate_verifier(Arc::new(NoCertificateVerification::new(
-					default_provider(),
+				.with_custom_certificate_verifier(Arc::new(NoCertificateVerification(
+					provider,
 				)))
 		} else {
 			cfg_if! {
@ -89,7 +94,7 @@ impl StreamProvider {
 					let certstore = RootCertStore::from_iter(TLS_SERVER_ROOTS.iter().cloned());
 				}
 			}
-			ClientConfig::builder().with_root_certificates(certstore)
+			client_config.with_root_certificates(certstore)
 		}
 		.with_no_client_auth();
 		let no_alpn_client_config = Arc::new(client_config.clone());
@ -211,7 +216,7 @@ impl StreamProvider {
 				if matches!(err.kind(), ErrorKind::UnexpectedEof) {
 					// maybe actually a wisp error?
 					if let Some(reason) = stream.get_close_reason() {
-						return Err(reason.into());
+						return Err(EpoxyError::WispCloseReason(reason, err));
 					}
 				}
 				Err(err.into())
--- a/client/src/utils.rs
+++ b/client/src/utils.rs
@ -1,7 +1,5 @@
 use std::{
-	io::ErrorKind,
-	pin::Pin,
-	task::{Context, Poll},
+	io::ErrorKind, pin::Pin, sync::Arc, task::{Context, Poll}
 };

 use async_trait::async_trait;
@ -306,13 +304,7 @@ impl AsyncWrite for IgnoreCloseNotify {
 }

 #[derive(Debug)]
-pub struct NoCertificateVerification(CryptoProvider);
-
-impl NoCertificateVerification {
-	pub fn new(provider: CryptoProvider) -> Self {
-		Self(provider)
-	}
-}
+pub struct NoCertificateVerification(pub Arc<CryptoProvider>);

 impl ServerCertVerifier for NoCertificateVerification {
 	fn verify_server_cert(