From e6a9da36bb9b5ea8b80191be3e97581669bac74f Mon Sep 17 00:00:00 2001 From: Abhay Kumar Date: Tue, 17 Feb 2026 12:34:52 -0800 Subject: [PATCH 1/2] Make CertVerifier buffer size a const generic on HttpClient MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds `const CERT_SIZE: usize = 4096` to `TlsConfig`, `Provider`, and `HttpClient` (all behind `#[cfg(feature = "embedded-tls")]`). This lets consumers specify a larger certificate chain buffer for servers with long chains (e.g. Telegram's 4-cert chain needs ~6144 bytes). Default of 4096 preserves backward compatibility — existing code compiles unchanged. Also points embedded-tls dependency at hackshare/embedded-tls fork (hw-rsa branch) for hardware RSA offload support. Removes stale esp-mbedtls git dep (URL no longer resolves) and suppresses cfg warnings for its dormant code paths. --- Cargo.toml | 7 +++++-- src/client.rs | 32 ++++++++++++++++++++++---------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9d9d04d..dadd823 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -31,10 +31,13 @@ p256 = { version = "0.13", default-features = false, features = [ "ecdsa", "sha256", ] } -embedded-tls = { git = "https://github.com/drogue-iot/embedded-tls.git", default-features = false, features = ["rustpki"], optional = true } +embedded-tls = { git = "https://github.com/hackshare/embedded-tls.git", branch = "hw-rsa", default-features = false, features = ["rustpki"], optional = true } rand_chacha = { version = "0.3", default-features = false } nourl = "0.1.2" -esp-mbedtls = { version = "0.1", git = "https://github.com/esp-rs/esp-mbedtls.git", optional = true } +# esp-mbedtls dep removed — git URL is stale and we only use embedded-tls + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(feature, values("esp-mbedtls"))'] } [dev-dependencies] hyper = { version = "0.14.23", features = ["full"] } diff --git a/src/client.rs b/src/client.rs index 1f9b084..cc1a93c 100644 --- a/src/client.rs +++ b/src/client.rs @@ -23,14 +23,16 @@ use rand_core::CryptoRngCore; /// An async HTTP client that can establish a TCP connection and perform /// HTTP requests. -pub struct HttpClient<'a, T, D> +pub struct HttpClient<'a, T, D, const CERT_SIZE: usize = 4096> where T: TcpConnect + 'a, D: Dns + 'a, { client: &'a T, dns: &'a D, - #[cfg(any(feature = "embedded-tls", feature = "esp-mbedtls"))] + #[cfg(feature = "embedded-tls")] + tls: Option>, + #[cfg(all(not(feature = "embedded-tls"), feature = "esp-mbedtls"))] tls: Option>, } @@ -49,7 +51,7 @@ pub struct TlsConfig<'a, const RX_SIZE: usize = 4096, const TX_SIZE: usize = 409 /// Type for TLS configuration of HTTP client. #[cfg(feature = "embedded-tls")] -pub struct TlsConfig<'a> { +pub struct TlsConfig<'a, const CERT_SIZE: usize = 4096> { seed: u64, read_buffer: &'a mut [u8], write_buffer: &'a mut [u8], @@ -57,13 +59,13 @@ pub struct TlsConfig<'a> { } #[cfg(feature = "embedded-tls")] -struct Provider { +struct Provider { rng: rand_chacha::ChaCha8Rng, - verifier: CertVerifier, + verifier: CertVerifier, } #[cfg(feature = "embedded-tls")] -impl CryptoProvider for Provider { +impl CryptoProvider for Provider { type CipherSuite = Aes128GcmSha256; type Signature = DerSignature; @@ -103,7 +105,7 @@ pub enum TlsVerify<'a> { } #[cfg(feature = "embedded-tls")] -impl<'a> TlsConfig<'a> { +impl<'a, const CERT_SIZE: usize> TlsConfig<'a, CERT_SIZE> { pub fn new(seed: u64, read_buffer: &'a mut [u8], write_buffer: &'a mut [u8], verify: TlsVerify<'a>) -> Self { Self { seed, @@ -129,7 +131,7 @@ impl<'a, const RX_SIZE: usize, const TX_SIZE: usize> TlsConfig<'a, RX_SIZE, TX_S } } -impl<'a, T, D> HttpClient<'a, T, D> +impl<'a, T, D, const CERT_SIZE: usize> HttpClient<'a, T, D, CERT_SIZE> where T: TcpConnect + 'a, D: Dns + 'a, @@ -145,7 +147,17 @@ where } /// Create a new HTTP client for a given connection handle and a target host. - #[cfg(any(feature = "embedded-tls", feature = "esp-mbedtls"))] + #[cfg(feature = "embedded-tls")] + pub fn new_with_tls(client: &'a T, dns: &'a D, tls: TlsConfig<'a, CERT_SIZE>) -> Self { + Self { + client, + dns, + tls: Some(tls), + } + } + + /// Create a new HTTP client for a given connection handle and a target host. + #[cfg(all(not(feature = "embedded-tls"), feature = "esp-mbedtls"))] pub fn new_with_tls(client: &'a T, dns: &'a D, tls: TlsConfig<'a>) -> Self { Self { client, @@ -231,7 +243,7 @@ where conn.open(TlsContext::new( &config, - Provider { + Provider:: { rng: rng, verifier: embedded_tls::pki::CertVerifier::new(), }, From 7cce9ce08440063c6959fac60890ccc446136c73 Mon Sep 17 00:00:00 2001 From: Abhay Kumar Date: Wed, 18 Feb 2026 15:23:19 -0800 Subject: [PATCH 2/2] Pin embedded-tls to rev a095342a (SAN hostname verification) --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index dadd823..a4dfd1d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -31,7 +31,7 @@ p256 = { version = "0.13", default-features = false, features = [ "ecdsa", "sha256", ] } -embedded-tls = { git = "https://github.com/hackshare/embedded-tls.git", branch = "hw-rsa", default-features = false, features = ["rustpki"], optional = true } +embedded-tls = { git = "https://github.com/hackshare/embedded-tls.git", rev = "a095342a", default-features = false, features = ["rustpki"], optional = true } rand_chacha = { version = "0.3", default-features = false } nourl = "0.1.2" # esp-mbedtls dep removed — git URL is stale and we only use embedded-tls