diff --git a/client/build.sh b/client/build.sh index 80f126c..91c039e 100755 --- a/client/build.sh +++ b/client/build.sh @@ -23,18 +23,20 @@ else WASMOPTFLAGS="" fi -mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm -( - G="--generate-global-effects" - time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory --traps-never-happen \ - out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \ - --converge \ - $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ - $G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz \ - $G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \ - $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ - $G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz -) +if [ "${RELEASE:-0}" = "1" ]; then + mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm + ( + G="--generate-global-effects" + time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory \ + out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \ + --converge \ + $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ + $G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz \ + $G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \ + $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ + $G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz + ) +fi echo "[epx] wasm-opt finished" # === js === diff --git a/client/src/lib.rs b/client/src/lib.rs index edb05b8..83dce6b 100644 --- a/client/src/lib.rs +++ b/client/src/lib.rs @@ -194,7 +194,6 @@ pub struct EpoxyClientOptions { pub redirect_limit: usize, #[wasm_bindgen(getter_with_clone)] pub user_agent: String, - pub disable_certificate_validation: bool, #[cfg(feature = "full")] #[wasm_bindgen(getter_with_clone)] pub pem_files: Vec, @@ -216,7 +215,6 @@ impl Default for EpoxyClientOptions { websocket_protocols: Vec::new(), redirect_limit: 10, user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36".to_string(), - disable_certificate_validation: false, #[cfg(feature = "full")] pem_files: Vec::new(), } @@ -350,7 +348,7 @@ impl EpoxyClient { client, redirect_limit: options.redirect_limit, user_agent: options.user_agent, - certs_tampered: options.disable_certificate_validation || !options.pem_files.is_empty(), + certs_tampered: !options.pem_files.is_empty(), }) } diff --git a/client/src/stream_provider.rs b/client/src/stream_provider.rs index bfd2dde..de0886d 100644 --- a/client/src/stream_provider.rs +++ b/client/src/stream_provider.rs @@ -87,18 +87,9 @@ impl StreamProvider { } } - let client_config = if options.disable_certificate_validation { - ClientConfig::builder() - .dangerous() - .with_custom_certificate_verifier(Arc::new(NoCertificateVerification( - default_provider(), - ))) - .with_no_client_auth() - } else { - ClientConfig::builder() - .with_root_certificates(certstore) - .with_no_client_auth() - }; + let client_config = ClientConfig::builder() + .with_root_certificates(certstore) + .with_no_client_auth(); let client_config = Arc::new(client_config); Ok(Self { diff --git a/client/src/utils.rs b/client/src/utils.rs index 03ace16..306132a 100644 --- a/client/src/utils.rs +++ b/client/src/utils.rs @@ -6,21 +6,12 @@ use std::{ use async_trait::async_trait; use bytes::{buf::UninitSlice, BufMut, Bytes, BytesMut}; -use futures_rustls::{ - rustls::{ - self, - client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, - crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}, - DigitallySignedStruct, - }, - TlsStream, -}; +use futures_rustls::TlsStream; use futures_util::{ready, AsyncRead, AsyncWrite, Future, Stream, StreamExt, TryStreamExt}; use http::{HeaderValue, Uri}; use hyper::{body::Body, rt::Executor}; use js_sys::{Array, ArrayBuffer, JsString, Object, Uint8Array}; use pin_project_lite::pin_project; -use rustls_pki_types::{CertificateDer, ServerName, UnixTime}; use send_wrapper::SendWrapper; use wasm_bindgen::{prelude::*, JsCast, JsValue}; use wasm_bindgen_futures::JsFuture; @@ -314,60 +305,6 @@ impl AsyncWrite for IgnoreCloseNotify { } } -#[derive(Debug)] -pub(crate) struct NoCertificateVerification(pub CryptoProvider); - -impl NoCertificateVerification { - pub fn new(provider: CryptoProvider) -> Self { - Self(provider) - } -} - -impl ServerCertVerifier for NoCertificateVerification { - fn verify_server_cert( - &self, - _end_entity: &CertificateDer<'_>, - _intermediates: &[CertificateDer<'_>], - _server_name: &ServerName<'_>, - _ocsp: &[u8], - _now: UnixTime, - ) -> Result { - Ok(rustls::client::danger::ServerCertVerified::assertion()) - } - - fn verify_tls12_signature( - &self, - message: &[u8], - cert: &CertificateDer<'_>, - dss: &DigitallySignedStruct, - ) -> Result { - verify_tls12_signature( - message, - cert, - dss, - &self.0.signature_verification_algorithms, - ) - } - - fn verify_tls13_signature( - &self, - message: &[u8], - cert: &CertificateDer<'_>, - dss: &DigitallySignedStruct, - ) -> Result { - verify_tls13_signature( - message, - cert, - dss, - &self.0.signature_verification_algorithms, - ) - } - - fn supported_verify_schemes(&self) -> Vec { - self.0.signature_verification_algorithms.supported_schemes() - } -} - pub fn is_redirect(code: u16) -> bool { [301, 302, 303, 307, 308].contains(&code) }