wreq 6.0.0-rc.29

An ergonomic Rust HTTP Client with TLS fingerprint
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

//! TLS session caching and resumption.
//!
//! Handshakes are expensive. This module lets you reuse sessions to save
//! CPU cycles and reduce latency.
//!
//! By default, we use an in-memory LRU cache, but you can plug in your own
//! implementation if you're running at scale or need to share sessions
//! across multiple instances.

use std::{
    borrow::Borrow,
    collections::{HashMap, hash_map::Entry},
    hash::{Hash, Hasher},
    num::NonZeroUsize,
    sync::Arc,
};

use btls::ssl::{SslSession, SslVersion};
use lru::LruCache;

use crate::{conn::descriptor::ConnectionId, sync::Mutex, tls::TlsVersion};

/// An opaque key identifying a TLS session cache entry.
#[derive(Clone, PartialEq, Eq, Hash)]
pub struct Key(pub(super) ConnectionId);

/// A TLS session that can be stored and retrieved from a session cache.
#[derive(Clone)]
pub struct TlsSession(pub(super) SslSession);

/// A trait for cache storing and retrieving TLS sessions.
///
/// # TLS 1.3 Session Handling
///
/// For TLS 1.3 sessions, implementations **should** remove the session after
/// retrieval to comply with [RFC 8446 Appendix C.4](https://tools.ietf.org/html/rfc8446#appendix-C.4),
/// which requires that session tickets are used at most once to prevent
/// concurrent handshakes from reusing the same session.
pub trait TlsSessionCache: Send + Sync {
    /// Store a TLS session associated with the given key.
    fn put(&self, key: Key, session: TlsSession);

    /// Retrieve a TLS session for the given key.
    ///
    /// For TLS 1.3, the session should be removed from the cache upon retrieval
    /// to ensure single-use semantics (see [RFC 8446 Appendix C.4]).
    fn pop(&self, key: &Key) -> Option<TlsSession>;
}

impl_into_shared!(
    /// Trait for converting types into a shared [`TlsSessionCache`].
    ///
    /// This allows accepting bare types, `Arc<T>`, or `Arc<dyn TlsSessionCache>`.
    pub trait IntoTlsSessionCache => TlsSessionCache
);

/// The default two-level LRU session cache.
///
/// Maintains both forward (key → sessions) and reverse (session → key) lookups
/// for efficient session storage, retrieval, and cleanup operations.
///
/// This is the built-in implementation of [`TlsSessionCache`] used when no
/// custom session store is configured.
pub struct LruTlsSessionCache {
    inner: Mutex<Inner>,
    per_host_session_capacity: usize,
}

struct Inner {
    reverse: HashMap<TlsSession, Key>,
    per_host_sessions: HashMap<Key, LruCache<TlsSession, ()>>,
}

// ===== impl TlsSession =====

impl TlsSession {
    /// Returns the TLS session ID.
    #[inline]
    pub fn id(&self) -> &[u8] {
        self.0.id()
    }

    /// Returns the time at which the session was established, in seconds since the Unix epoch.
    #[inline]
    pub fn time(&self) -> u64 {
        self.0.time()
    }

    /// Returns the sessions timeout, in seconds.
    ///
    /// A session older than this time should not be used for session resumption.
    #[inline]
    pub fn timeout(&self) -> u32 {
        self.0.timeout()
    }

    /// Returns the TLS protocol version negotiated for this session.
    #[inline]
    pub fn protocol_version(&self) -> TlsVersion {
        let version = self.0.protocol_version();
        if version == SslVersion::SSL3 {
            // SSLv3 (SSL 3.0) is obsolete and insecure, and is not supported by btls.
            // This branch should never be reached in normal operation. If it is,
            // it indicates a bug or an unsupported/legacy OpenSSL configuration.
            unreachable!(
                "Encountered unsupported protocol: SSLv3 (SSL 3.0) is obsolete and not accepted by btls"
            );
        }
        TlsVersion(version)
    }
}

impl Eq for TlsSession {}

impl PartialEq for TlsSession {
    #[inline]
    fn eq(&self, other: &TlsSession) -> bool {
        self.0.id() == other.0.id()
    }
}

impl Hash for TlsSession {
    #[inline]
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.0.id().hash(state);
    }
}

impl Borrow<[u8]> for TlsSession {
    #[inline]
    fn borrow(&self) -> &[u8] {
        self.0.id()
    }
}

// ===== impl LruTlsSessionCache =====

impl LruTlsSessionCache {
    /// Creates a new [`LruTlsSessionCache`] with the given per-host capacity.
    pub fn new(per_host_session_capacity: usize) -> Self {
        LruTlsSessionCache {
            inner: Mutex::new(Inner {
                reverse: HashMap::new(),
                per_host_sessions: HashMap::new(),
            }),
            per_host_session_capacity,
        }
    }
}

impl TlsSessionCache for LruTlsSessionCache {
    fn put(&self, key: Key, session: TlsSession) {
        let mut inner = self.inner.lock();

        let evicted = {
            let per_host_sessions =
                inner
                    .per_host_sessions
                    .entry(key.clone())
                    .or_insert_with(|| {
                        NonZeroUsize::new(self.per_host_session_capacity)
                            .map_or_else(LruCache::unbounded, LruCache::new)
                    });

            // Enforce per-key capacity limit by evicting the least recently used session
            let evicted = if per_host_sessions.len() >= self.per_host_session_capacity {
                per_host_sessions.pop_lru().map(|(s, _)| s)
            } else {
                None
            };

            per_host_sessions.put(session.clone(), ());
            evicted
        };

        if let Some(evicted_session) = evicted {
            inner.reverse.remove(&evicted_session);
        }
        inner.reverse.insert(session, key);
    }

    fn pop(&self, key: &Key) -> Option<TlsSession> {
        let mut inner = self.inner.lock();
        let session = {
            let per_host_sessions = inner.per_host_sessions.get_mut(key)?;
            per_host_sessions.peek_lru()?.0.clone()
        };

        // https://tools.ietf.org/html/rfc8446#appendix-C.4
        // OpenSSL will remove the session from its cache after the handshake completes anyway, but
        // this ensures that concurrent handshakes don't end up with the same session.
        if session.protocol_version() == TlsVersion::TLS_1_3 {
            if let Some(key) = inner.reverse.remove(&session) {
                if let Entry::Occupied(mut entry) = inner.per_host_sessions.entry(key) {
                    entry.get_mut().pop(&session);
                    if entry.get().is_empty() {
                        entry.remove();
                    }
                }
            }
        }

        Some(session)
    }
}