1//! Configures libcurl's http handles.
23use std::str;
4use std::time::Duration;
56use anyhow::bail;
7use curl::easy::Easy;
8use curl::easy::InfoType;
9use curl::easy::SslOpt;
10use curl::easy::SslVersion;
11use tracing::debug;
12use tracing::trace;
1314use crate::util::context::SslVersionConfig;
15use crate::util::context::SslVersionConfigRange;
16use crate::version;
17use crate::CargoResult;
18use crate::GlobalContext;
1920/// Creates a new HTTP handle with appropriate global configuration for cargo.
21pub fn http_handle(gctx: &GlobalContext) -> CargoResult<Easy> {
22let (mut handle, timeout) = http_handle_and_timeout(gctx)?;
23 timeout.configure(&mut handle)?;
24Ok(handle)
25}
2627pub fn http_handle_and_timeout(gctx: &GlobalContext) -> CargoResult<(Easy, HttpTimeout)> {
28if gctx.frozen() {
29bail!(
30"attempting to make an HTTP request, but --frozen was \
31 specified"
32)
33 }
34if gctx.offline() {
35bail!(
36"attempting to make an HTTP request, but --offline was \
37 specified"
38)
39 }
4041// The timeout option for libcurl by default times out the entire transfer,
42 // but we probably don't want this. Instead we only set timeouts for the
43 // connect phase as well as a "low speed" timeout so if we don't receive
44 // many bytes in a large-ish period of time then we time out.
45let mut handle = Easy::new();
46let timeout = configure_http_handle(gctx, &mut handle)?;
47Ok((handle, timeout))
48}
4950// Only use a custom transport if any HTTP options are specified,
51// such as proxies or custom certificate authorities.
52//
53// The custom transport, however, is not as well battle-tested.
54pub fn needs_custom_http_transport(gctx: &GlobalContext) -> CargoResult<bool> {
55Ok(super::proxy::http_proxy_exists(gctx.http_config()?, gctx)
56 || *gctx.http_config()? != Default::default()
57 || gctx.get_env_os("HTTP_TIMEOUT").is_some())
58}
5960/// Configure a libcurl http handle with the defaults options for Cargo
61pub fn configure_http_handle(gctx: &GlobalContext, handle: &mut Easy) -> CargoResult<HttpTimeout> {
62let http = gctx.http_config()?;
63if let Some(proxy) = super::proxy::http_proxy(http) {
64 handle.proxy(&proxy)?;
65 }
66if let Some(cainfo) = &http.cainfo {
67let cainfo = cainfo.resolve_path(gctx);
68 handle.cainfo(&cainfo)?;
69 }
70if let Some(check) = http.check_revoke {
71 handle.ssl_options(SslOpt::new().no_revoke(!check))?;
72 }
7374if let Some(user_agent) = &http.user_agent {
75 handle.useragent(user_agent)?;
76 } else {
77 handle.useragent(&format!("cargo/{}", version()))?;
78 }
7980fn to_ssl_version(s: &str) -> CargoResult<SslVersion> {
81let version = match s {
82"default" => SslVersion::Default,
83"tlsv1" => SslVersion::Tlsv1,
84"tlsv1.0" => SslVersion::Tlsv10,
85"tlsv1.1" => SslVersion::Tlsv11,
86"tlsv1.2" => SslVersion::Tlsv12,
87"tlsv1.3" => SslVersion::Tlsv13,
88_ => bail!(
89"Invalid ssl version `{s}`,\
90 choose from 'default', 'tlsv1', 'tlsv1.0', 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'."
91),
92 };
93Ok(version)
94 }
9596// Empty string accept encoding expands to the encodings supported by the current libcurl.
97handle.accept_encoding("")?;
98if let Some(ssl_version) = &http.ssl_version {
99match ssl_version {
100 SslVersionConfig::Single(s) => {
101let version = to_ssl_version(s.as_str())?;
102 handle.ssl_version(version)?;
103 }
104 SslVersionConfig::Range(SslVersionConfigRange { min, max }) => {
105let min_version = min
106 .as_ref()
107 .map_or(Ok(SslVersion::Default), |s| to_ssl_version(s))?;
108let max_version = max
109 .as_ref()
110 .map_or(Ok(SslVersion::Default), |s| to_ssl_version(s))?;
111 handle.ssl_min_max_version(min_version, max_version)?;
112 }
113 }
114 } else if cfg!(windows) {
115// This is a temporary workaround for some bugs with libcurl and
116 // schannel and TLS 1.3.
117 //
118 // Our libcurl on Windows is usually built with schannel.
119 // On Windows 11 (or Windows Server 2022), libcurl recently (late
120 // 2022) gained support for TLS 1.3 with schannel, and it now defaults
121 // to 1.3. Unfortunately there have been some bugs with this.
122 // https://github.com/curl/curl/issues/9431 is the most recent. Once
123 // that has been fixed, and some time has passed where we can be more
124 // confident that the 1.3 support won't cause issues, this can be
125 // removed.
126 //
127 // Windows 10 is unaffected. libcurl does not support TLS 1.3 on
128 // Windows 10. (Windows 10 sorta had support, but it required enabling
129 // an advanced option in the registry which was buggy, and libcurl
130 // does runtime checks to prevent it.)
131handle.ssl_min_max_version(SslVersion::Default, SslVersion::Tlsv12)?;
132 }
133134if let Some(true) = http.debug {
135 handle.verbose(true)?;
136tracing::debug!(target: "network", "{:#?}", curl::Version::get());
137 handle.debug_function(|kind, data| {
138enum LogLevel {
139 Debug,
140 Trace,
141 }
142use LogLevel::*;
143let (prefix, level) = match kind {
144 InfoType::Text => ("*", Debug),
145 InfoType::HeaderIn => ("<", Debug),
146 InfoType::HeaderOut => (">", Debug),
147 InfoType::DataIn => ("{", Trace),
148 InfoType::DataOut => ("}", Trace),
149 InfoType::SslDataIn | InfoType::SslDataOut => return,
150_ => return,
151 };
152let starts_with_ignore_case = |line: &str, text: &str| -> bool {
153let line = line.as_bytes();
154let text = text.as_bytes();
155 line[..line.len().min(text.len())].eq_ignore_ascii_case(text)
156 };
157match str::from_utf8(data) {
158Ok(s) => {
159for mut line in s.lines() {
160if starts_with_ignore_case(line, "authorization:") {
161 line = "Authorization: [REDACTED]";
162 } else if starts_with_ignore_case(line, "h2h3 [authorization:") {
163 line = "h2h3 [Authorization: [REDACTED]]";
164 } else if starts_with_ignore_case(line, "set-cookie") {
165 line = "set-cookie: [REDACTED]";
166 }
167match level {
168 Debug => debug!(target: "network", "http-debug: {prefix} {line}"),
169 Trace => trace!(target: "network", "http-debug: {prefix} {line}"),
170 }
171 }
172 }
173Err(_) => {
174let len = data.len();
175match level {
176 Debug => {
177debug!(target: "network", "http-debug: {prefix} ({len} bytes of data)")
178 }
179 Trace => {
180trace!(target: "network", "http-debug: {prefix} ({len} bytes of data)")
181 }
182 }
183 }
184 }
185 })?;
186 }
187188 HttpTimeout::new(gctx)
189}
190191#[must_use]
192pub struct HttpTimeout {
193pub dur: Duration,
194pub low_speed_limit: u32,
195}
196197impl HttpTimeout {
198pub fn new(gctx: &GlobalContext) -> CargoResult<HttpTimeout> {
199let http_config = gctx.http_config()?;
200let low_speed_limit = http_config.low_speed_limit.unwrap_or(10);
201let seconds = http_config
202 .timeout
203 .or_else(|| {
204 gctx.get_env("HTTP_TIMEOUT")
205 .ok()
206 .and_then(|s| s.parse().ok())
207 })
208 .unwrap_or(30);
209Ok(HttpTimeout {
210 dur: Duration::new(seconds, 0),
211 low_speed_limit,
212 })
213 }
214215pub fn configure(&self, handle: &mut Easy) -> CargoResult<()> {
216// The timeout option for libcurl by default times out the entire
217 // transfer, but we probably don't want this. Instead we only set
218 // timeouts for the connect phase as well as a "low speed" timeout so
219 // if we don't receive many bytes in a large-ish period of time then we
220 // time out.
221handle.connect_timeout(self.dur)?;
222 handle.low_speed_time(self.dur)?;
223 handle.low_speed_limit(self.low_speed_limit)?;
224Ok(())
225 }
226}