diff options
| author | Andrew Kelley <andrew@ziglang.org> | 2023-01-16 15:49:58 -0700 |
|---|---|---|
| committer | Andrew Kelley <andrew@ziglang.org> | 2023-01-17 01:44:56 -0500 |
| commit | d56a65a8c4609a740eee43fd7073c2485c87c2c6 (patch) | |
| tree | 9936fd3bcf55f9426d8a43425c6e092a95658022 /lib | |
| parent | e646becd04c37fbaaa654f6419dd9f5e85d9f210 (diff) | |
| download | zig-d56a65a8c4609a740eee43fd7073c2485c87c2c6.tar.gz zig-d56a65a8c4609a740eee43fd7073c2485c87c2c6.zip | |
std.http.Client: default to lazy root cert scanning
After this change, the system will be inspected for root certificates
only upon the first https request that actually occurs. This makes the
compiler no longer do SSL certificate scanning when running `zig build`
if no network requests are made.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/std/http/Client.zig | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/lib/std/http/Client.zig b/lib/std/http/Client.zig index e97b366370..7cf512d65f 100644 --- a/lib/std/http/Client.zig +++ b/lib/std/http/Client.zig @@ -1,5 +1,7 @@ //! TODO: send connection: keep-alive and LRU cache a configurable number of //! open connections to skip DNS and TLS handshake for subsequent requests. +//! +//! This API is *not* thread safe. const std = @import("../std.zig"); const mem = std.mem; @@ -15,6 +17,9 @@ const testing = std.testing; /// managed buffer is not provided. allocator: Allocator, ca_bundle: std.crypto.Certificate.Bundle = .{}, +/// When this is `true`, the next time this client performs an HTTPS request, +/// it will first rescan the system for root certificates. +next_https_rescan_certs: bool = true, pub const Connection = struct { stream: net.Stream, @@ -594,6 +599,7 @@ pub const Request = struct { CertificateTimeInvalid, CertificateHasUnrecognizedObjectId, CertificateHasInvalidBitString, + CertificateAuthorityBundleTooBig, // TODO: convert to higher level errors InvalidFormat, @@ -648,6 +654,10 @@ pub const Request = struct { NetworkSubsystemFailed, NotDir, ReadOnlyFileSystem, + Unseekable, + MissingEndCertificateMarker, + InvalidPadding, + EndOfStream, }; pub fn read(req: *Request, buffer: []u8) ReadError!usize { @@ -837,10 +847,6 @@ pub fn deinit(client: *Client) void { client.* = undefined; } -pub fn rescanRootCertificates(client: *Client) !void { - return client.ca_bundle.rescan(client.allocator); -} - pub fn connect(client: *Client, host: []const u8, port: u16, protocol: Connection.Protocol) !Connection { var conn: Connection = .{ .stream = try net.tcpConnectToHost(client.allocator, host, port), @@ -876,6 +882,11 @@ pub fn request(client: *Client, uri: Uri, headers: Request.Headers, options: Req const host = uri.host orelse return error.UriMissingHost; + if (client.next_https_rescan_certs and protocol == .tls) { + try client.ca_bundle.rescan(client.allocator); + client.next_https_rescan_certs = false; + } + var req: Request = .{ .client = client, .headers = headers, |