refactor: separate TLS plumbing from crypto provider selection

duncanista · duncanista · commit 449f27cdb1a9 · 2026-04-03T15:19:04.000-04:00
Introduce tls-core feature for TLS plumbing (rustls, hyper-rustls,
tokio-rustls, rustls-native-certs) without a crypto provider. The
https and fips features now both build on tls-core and add their
respective provider:

- https = tls-core + ring
- fips = tls-core + aws-lc-rs (via hyper-rustls/fips)

This ensures FIPS builds only compile aws-lc-rs without ring, avoiding
unnecessary binary bloat from shipping both crypto backends.

Updated all cfg(feature = "https") gates to cfg(feature = "tls-core")
so TLS code compiles under both https and fips features.
diff --git a/libdd-common/Cargo.toml b/libdd-common/Cargo.toml
@@ -45,14 +45,13 @@ tokio-rustls = { version = "0.26", default-features = false, optional = true }
 serde = { version = "1.0", features = ["derive"] }
 static_assertions = "1.1.0"
 const_format = "0.2.34"
-# Use ring as the default crypto provider for non-FIPS builds on all platforms.
-# FIPS builds activate aws-lc-rs via the hyper-rustls/fips feature instead.
-rustls = { version = "0.23.37", default-features = false, optional = true, features = ["ring"] }
+# Declare rustls and hyper-rustls without a crypto provider. The provider is
+# selected via features: `https` enables ring, `fips` enables aws-lc-rs.
+rustls = { version = "0.23.37", default-features = false, optional = true }
 hyper-rustls = { version = "0.27.7", default-features = false, features = [
     "native-tokio",
     "http1",
     "tls12",
-    "ring",
 ], optional = true }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
@@ -91,13 +90,16 @@ tokio = { version = "1.23", features = ["rt", "macros", "time"] }
 
 [features]
 default = ["https"]
-https = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-native-certs"]
+# TLS plumbing without a crypto provider. Use `https` or `fips` to select one.
+tls-core = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-native-certs"]
+# Default HTTPS: ring as crypto provider
+https = ["tls-core", "rustls/ring", "hyper-rustls/ring"]
 use_webpki_roots = ["hyper-rustls/webpki-roots"]
 # Enable this feature to enable stubbing of cgroup
 # php directly import this crate and uses functions gated by this feature for their test
 cgroup_testing = []
 # FIPS mode uses the FIPS-compliant cryptographic provider (Unix only)
-fips = ["https", "hyper-rustls/fips"]
+fips = ["tls-core", "hyper-rustls/fips"]
 # Enable reqwest client builder support with file dump debugging
 reqwest = ["dep:reqwest", "test-utils"]
 # Enable test utilities for use in other crates
diff --git a/libdd-common/src/connector/conn_stream.rs b/libdd-common/src/connector/conn_stream.rs
@@ -17,7 +17,7 @@ pub enum ConnStream {
         #[pin]
         transport: TokioIo<tokio::net::TcpStream>,
     },
-    #[cfg(feature = "https")]
+    #[cfg(feature = "tls-core")]
     Tls {
         #[pin]
         transport:
@@ -84,7 +84,7 @@ impl ConnStream {
         })
     }
 
-    #[cfg(feature = "https")]
+    #[cfg(feature = "tls-core")]
     pub fn from_https_connector_with_uri(
         c: &mut hyper_rustls::HttpsConnector<connect::HttpConnector>,
         uri: hyper::Uri,
@@ -119,7 +119,7 @@ impl hyper::rt::Read for ConnStream {
     ) -> Poll<std::io::Result<()>> {
         match self.project() {
             ConnStreamProj::Tcp { transport } => transport.poll_read(cx, buf),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             ConnStreamProj::Tls { transport } => transport.poll_read(cx, buf),
             #[cfg(unix)]
             ConnStreamProj::Udp { transport } => transport.poll_read(cx, buf),
@@ -133,7 +133,7 @@ impl connect::Connection for ConnStream {
     fn connected(&self) -> connect::Connected {
         match self {
             Self::Tcp { transport } => transport.connected(),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             Self::Tls { transport } => {
                 let (tcp, _) = transport.inner().get_ref();
                 tcp.inner().inner().connected()
@@ -154,7 +154,7 @@ impl hyper::rt::Write for ConnStream {
     ) -> Poll<Result<usize, std::io::Error>> {
         match self.project() {
             ConnStreamProj::Tcp { transport } => transport.poll_write(cx, buf),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             ConnStreamProj::Tls { transport } => transport.poll_write(cx, buf),
             #[cfg(unix)]
             ConnStreamProj::Udp { transport } => transport.poll_write(cx, buf),
@@ -169,7 +169,7 @@ impl hyper::rt::Write for ConnStream {
     ) -> Poll<Result<(), std::io::Error>> {
         match self.project() {
             ConnStreamProj::Tcp { transport } => transport.poll_shutdown(cx),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             ConnStreamProj::Tls { transport } => transport.poll_shutdown(cx),
             #[cfg(unix)]
             ConnStreamProj::Udp { transport } => transport.poll_shutdown(cx),
@@ -181,7 +181,7 @@ impl hyper::rt::Write for ConnStream {
     fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), std::io::Error>> {
         match self.project() {
             ConnStreamProj::Tcp { transport } => transport.poll_flush(cx),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             ConnStreamProj::Tls { transport } => transport.poll_flush(cx),
             #[cfg(unix)]
             ConnStreamProj::Udp { transport } => transport.poll_flush(cx),
diff --git a/libdd-common/src/connector/mod.rs b/libdd-common/src/connector/mod.rs
@@ -23,7 +23,7 @@ use conn_stream::{ConnStream, ConnStreamError};
 #[derive(Clone)]
 pub enum Connector {
     Http(connect::HttpConnector),
-    #[cfg(feature = "https")]
+    #[cfg(feature = "tls-core")]
     Https(hyper_rustls::HttpsConnector<connect::HttpConnector>),
 }
 
@@ -39,7 +39,7 @@ impl Connector {
     /// Make sure this function is not called frequently. Fetching the root certificates is an
     /// expensive operation. Access the globally cached connector via Connector::default().
     fn new() -> Self {
-        #[cfg(feature = "https")]
+        #[cfg(feature = "tls-core")]
         {
             #[cfg(feature = "use_webpki_roots")]
             let https_connector_fn = https::build_https_connector_with_webpki_roots;
@@ -51,7 +51,7 @@ impl Connector {
                 Err(_) => Connector::Http(connect::HttpConnector::new()),
             }
         }
-        #[cfg(not(feature = "https"))]
+        #[cfg(not(feature = "tls-core"))]
         {
             Connector::Http(connect::HttpConnector::new())
         }
@@ -73,15 +73,15 @@ impl Connector {
                     ConnStream::from_http_connector_with_uri(c, uri).boxed()
                 }
             }
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             Self::Https(c) => {
                 ConnStream::from_https_connector_with_uri(c, uri, require_tls).boxed()
             }
         }
     }
 }
 
-#[cfg(feature = "https")]
+#[cfg(feature = "tls-core")]
 mod https {
     #[cfg(feature = "use_webpki_roots")]
     use hyper_rustls::ConfigBuilderExt;
@@ -185,7 +185,7 @@ impl tower_service::Service<hyper::Uri> for Connector {
     fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
         match self {
             Connector::Http(c) => c.poll_ready(cx).map_err(|e| e.into()),
-            #[cfg(feature = "https")]
+            #[cfg(feature = "tls-core")]
             Connector::Https(c) => c.poll_ready(cx),
         }
     }
@@ -238,7 +238,7 @@ mod tests {
     #[test]
     #[cfg_attr(miri, ignore)]
     #[cfg(feature = "use_webpki_roots")]
-    #[cfg(feature = "https")]
+    #[cfg(feature = "tls-core")]
     /// Verify that Connector builds an Https connector using webpki certificates
     /// even when native root certificates are not available.
     fn test_missing_root_certificates_use_webpki_certificates() {

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ use conn_stream::{ConnStream, ConnStreamError};`
`23`	`23`	`#[derive(Clone)]`
`24`	`24`	`pub enum Connector {`
`25`	`25`	`Http(connect::HttpConnector),`
`26`		`- #[cfg(feature = "https")]`
	`26`	`+ #[cfg(feature = "tls-core")]`
`27`	`27`	`Https(hyper_rustls::HttpsConnector<connect::HttpConnector>),`
`28`	`28`	`}`
`29`	`29`
`@@ -39,7 +39,7 @@ impl Connector {`
`39`	`39`	`/// Make sure this function is not called frequently. Fetching the root certificates is an`
`40`	`40`	`/// expensive operation. Access the globally cached connector via Connector::default().`
`41`	`41`	`fn new() -> Self {`
`42`		`- #[cfg(feature = "https")]`
	`42`	`+ #[cfg(feature = "tls-core")]`
`43`	`43`	`{`
`44`	`44`	`#[cfg(feature = "use_webpki_roots")]`
`45`	`45`	`let https_connector_fn = https::build_https_connector_with_webpki_roots;`
`@@ -51,7 +51,7 @@ impl Connector {`
`51`	`51`	`Err(_) => Connector::Http(connect::HttpConnector::new()),`
`52`	`52`	`}`
`53`	`53`	`}`
`54`		`- #[cfg(not(feature = "https"))]`
	`54`	`+ #[cfg(not(feature = "tls-core"))]`
`55`	`55`	`{`
`56`	`56`	`Connector::Http(connect::HttpConnector::new())`
`57`	`57`	`}`
`@@ -73,15 +73,15 @@ impl Connector {`
`73`	`73`	`ConnStream::from_http_connector_with_uri(c, uri).boxed()`
`74`	`74`	`}`
`75`	`75`	`}`
`76`		`- #[cfg(feature = "https")]`
	`76`	`+ #[cfg(feature = "tls-core")]`
`77`	`77`	`Self::Https(c) => {`
`78`	`78`	`ConnStream::from_https_connector_with_uri(c, uri, require_tls).boxed()`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`
`84`		`-#[cfg(feature = "https")]`
	`84`	`+#[cfg(feature = "tls-core")]`
`85`	`85`	`mod https {`
`86`	`86`	`#[cfg(feature = "use_webpki_roots")]`
`87`	`87`	`use hyper_rustls::ConfigBuilderExt;`
`@@ -185,7 +185,7 @@ impl tower_service::Service<hyper::Uri> for Connector {`
`185`	`185`	`fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {`
`186`	`186`	`match self {`
`187`	`187`	`Connector::Http(c) => c.poll_ready(cx).map_err(\|e\| e.into()),`
`188`		`- #[cfg(feature = "https")]`
	`188`	`+ #[cfg(feature = "tls-core")]`
`189`	`189`	`Connector::Https(c) => c.poll_ready(cx),`
`190`	`190`	`}`
`191`	`191`	`}`
`@@ -238,7 +238,7 @@ mod tests {`
`238`	`238`	`#[test]`
`239`	`239`	`#[cfg_attr(miri, ignore)]`
`240`	`240`	`#[cfg(feature = "use_webpki_roots")]`
`241`		`- #[cfg(feature = "https")]`
	`241`	`+ #[cfg(feature = "tls-core")]`
`242`	`242`	`/// Verify that Connector builds an Https connector using webpki certificates`
`243`	`243`	`/// even when native root certificates are not available.`
`244`	`244`	`fn test_missing_root_certificates_use_webpki_certificates() {`