From e5efd5583855f6eca5b1550b61ac4489304b3303 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Thu, 10 Oct 2024 16:23:38 -0400
Subject: [PATCH] feature-gate direct TLS mode to make rustls/aws-lc-rs
 optional

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 Cargo.lock              | 13 ++++++-------
 Cargo.toml              |  1 -
 src/core/Cargo.toml     |  1 -
 src/main/Cargo.toml     |  3 +++
 src/router/Cargo.toml   |  8 ++++++++
 src/router/serve/mod.rs | 10 +++++++++-
 src/router/serve/tls.rs |  4 +++-
 7 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1103dc8a..6386f968 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -43,9 +43,9 @@ dependencies = [
 
 [[package]]
 name = "anstyle"
-version = "1.0.8"
+version = "1.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1"
+checksum = "8365de52b16c035ff4fcafe0092ba9390540e3e352870ac09933bebcaa2c8c56"
 
 [[package]]
 name = "anyhow"
@@ -703,7 +703,6 @@ dependencies = [
  "reqwest",
  "ring",
  "ruma",
- "rustls 0.23.15",
  "sanitize-filename",
  "serde",
  "serde_json",
@@ -813,9 +812,9 @@ dependencies = [
 
 [[package]]
 name = "console-api"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86ed14aa9c9f927213c6e4f3ef75faaad3406134efe84ba2cb7983431d5f0931"
+checksum = "8030735ecb0d128428b64cd379809817e620a40e5001c54465b99ec5feec2857"
 dependencies = [
  "futures-core",
  "prost",
@@ -826,9 +825,9 @@ dependencies = [
 
 [[package]]
 name = "console-subscriber"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2e3a111a37f3333946ebf9da370ba5c5577b18eb342ec683eb488dd21980302"
+checksum = "6539aa9c6a4cd31f4b1c040f860a1eac9aa80e7df6b05d506a6e7179936d6a01"
 dependencies = [
  "console-api",
  "crossbeam-channel",
diff --git a/Cargo.toml b/Cargo.toml
index fd124512..b75c4975 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -101,7 +101,6 @@ features = ["typed-header", "tracing"]
 [workspace.dependencies.axum-server]
 version = "0.7.1"
 default-features = false
-features = ["tls-rustls"]
 
 # to listen on both HTTP and HTTPS if listening on TLS dierctly from conduwuit for complement or sytest
 [workspace.dependencies.axum-server-dual-protocol]
diff --git a/src/core/Cargo.toml b/src/core/Cargo.toml
index 5e28aab0..71364734 100644
--- a/src/core/Cargo.toml
+++ b/src/core/Cargo.toml
@@ -79,7 +79,6 @@ regex.workspace = true
 reqwest.workspace = true
 ring.workspace = true
 ruma.workspace = true
-rustls.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true
 serde_regex.workspace = true
diff --git a/src/main/Cargo.toml b/src/main/Cargo.toml
index b090618c..b3390bfb 100644
--- a/src/main/Cargo.toml
+++ b/src/main/Cargo.toml
@@ -66,6 +66,9 @@ console = [
 #	"conduit-router/dev_release_log_level",
 #	"conduit-service/dev_release_log_level",
 #]
+direct_tls = [
+    "conduit-router/direct_tls"
+]
 element_hacks = [
 	"conduit-api/element_hacks",
 	"conduit-service/element_hacks",
diff --git a/src/router/Cargo.toml b/src/router/Cargo.toml
index 2f85ffb7..62690194 100644
--- a/src/router/Cargo.toml
+++ b/src/router/Cargo.toml
@@ -42,9 +42,16 @@ systemd = [
 	"dep:sd-notify",
 ]
 
+direct_tls = [
+    "axum-server/tls-rustls",
+    "dep:rustls",
+    "dep:axum-server-dual-protocol",
+]
+
 [dependencies]
 axum-client-ip.workspace = true
 axum-server-dual-protocol.workspace = true
+axum-server-dual-protocol.optional = true
 axum-server.workspace = true
 axum.workspace = true
 conduit-admin.workspace = true
@@ -63,6 +70,7 @@ hyper.workspace = true
 hyper-util.workspace = true
 ruma.workspace = true
 rustls.workspace = true
+rustls.optional = true
 sentry.optional = true
 sentry-tower.optional = true
 sentry-tower.workspace = true
diff --git a/src/router/serve/mod.rs b/src/router/serve/mod.rs
index 9e171008..858d3455 100644
--- a/src/router/serve/mod.rs
+++ b/src/router/serve/mod.rs
@@ -1,4 +1,5 @@
 mod plain;
+#[cfg(feature = "direct_tls")]
 mod tls;
 mod unix;
 
@@ -23,7 +24,14 @@ pub(super) async fn serve(
 	if cfg!(unix) && config.unix_socket_path.is_some() {
 		unix::serve(server, app, shutdown).await
 	} else if config.tls.is_some() {
-		tls::serve(server, app, handle, addrs).await
+		#[cfg(feature = "direct_tls")]
+		return tls::serve(server, app, handle, addrs).await;
+
+		#[cfg(not(feature = "direct_tls"))]
+		return conduit::Err!(Config(
+			"tls",
+			"conduwuit was not built with direct TLS support (\"direct_tls\")"
+		));
 	} else {
 		plain::serve(server, app, handle, addrs).await
 	}
diff --git a/src/router/serve/tls.rs b/src/router/serve/tls.rs
index 174a511f..08c5e7b6 100644
--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@@ -20,7 +20,9 @@ pub(super) async fn serve(
 
 	// we use ring for ruma and hashing state, but aws-lc-rs is the new default.
 	// without this, TLS mode will panic.
-	_ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+	rustls::crypto::aws_lc_rs::default_provider()
+		.install_default()
+		.expect("failed to initialise aws-lc-rs rustls crypto provider");
 
 	debug!("Using direct TLS. Certificate path {certs} and certificate private key path {key}",);
 	info!(