From 177f0201c4f221017ef639bba1f18d44984dab55 Mon Sep 17 00:00:00 2001
From: Tpt <thomaspt@hotmail.fr>
Date: Sun, 5 Dec 2021 09:09:36 +0100
Subject: [PATCH] Python Linux wheel now vendors Rustls

Instead of OpenSSL: same security issues and easier compilation
---
 .github/workflows/build.yml   |   2 +-
 .github/workflows/release.yml |   2 +-
 Cargo.lock                    | 108 ++++++++++++++++++++++++++--------
 lib/Cargo.toml                |   2 +-
 python/Cargo.toml             |  10 ++--
 server/Cargo.toml             |   2 +-
 6 files changed, 94 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2454dfc1..66ee0e75 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -94,7 +94,7 @@ jobs:
         with:
           manylinux: auto
           command: build
-          args: -m python/Cargo.toml --cargo-extra-args="--features vendored"
+          args: -m python/Cargo.toml --cargo-extra-args="--no-default-features --features vendored"
 
   python_wheel_mac:
     runs-on: macos-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 19257abe..27568d82 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -101,7 +101,7 @@ jobs:
         with:
           manylinux: auto
           command: publish
-          args: -m python/Cargo.toml --cargo-extra-args="--features vendored" -u __token__ -p ${{ secrets.PYPI_PASSWORD }}
+          args: -m python/Cargo.toml --cargo-extra-args="--no-default-features --features vendored" -u __token__ -p ${{ secrets.PYPI_PASSWORD }}
   publish_pypi_mac:
     runs-on: macos-latest
     needs: publish_lib_crate
diff --git a/Cargo.lock b/Cargo.lock
index a54466a9..29d73bd6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1389,24 +1389,6 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a"
 
-[[package]]
-name = "openssl-src"
-version = "111.16.0+1.1.1l"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ab2173f69416cf3ec12debb5823d244127d23a9b127d5a5189aa97c5fa2859f"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-src"
-version = "300.0.2+3.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14a760a11390b1a5daf72074d4f6ff1a6e772534ae191f999f57e9ee8146d1fb"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "openssl-sys"
 version = "0.9.71"
@@ -1416,19 +1398,20 @@ dependencies = [
  "autocfg",
  "cc",
  "libc",
- "openssl-src 300.0.2+3.0.0",
  "pkg-config",
  "vcpkg",
 ]
 
 [[package]]
 name = "oxhttp"
-version = "0.1.2"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac44cb5f8da7f26cdcf0297c7c66d06c927d0d97edac5d62c670a99cf992fd4e"
+checksum = "a383bc499356ce6bc89ea95695c08f68e6c8602923fab7862ffcec94f8ef5502"
 dependencies = [
  "httparse",
  "native-tls",
+ "rustls",
+ "rustls-native-certs",
  "url",
 ]
 
@@ -1790,8 +1773,7 @@ dependencies = [
 name = "pyoxigraph"
 version = "0.3.0-dev"
 dependencies = [
- "native-tls",
- "openssl-src 111.16.0+1.1.1l",
+ "oxhttp",
  "oxigraph",
  "pyo3",
 ]
@@ -1967,6 +1949,21 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd69ab1e90258b7769f0b5c46bfd802b8206d0707ced4ca4b9d5681b744de1be"
 
+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin",
+ "untrusted",
+ "web-sys",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "rio_api"
 version = "0.6.1"
@@ -2020,6 +2017,39 @@ dependencies = [
  "semver 1.0.4",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84"
+dependencies = [
+ "log",
+ "ring",
+ "sct",
+ "webpki",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
+dependencies = [
+ "base64",
+]
+
 [[package]]
 name = "ryu"
 version = "1.0.6"
@@ -2057,6 +2087,16 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
+[[package]]
+name = "sct"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.4.2"
@@ -2276,6 +2316,12 @@ dependencies = [
  "rand 0.8.4",
 ]
 
+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
 [[package]]
 name = "standback"
 version = "0.2.17"
@@ -2567,6 +2613,12 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "url"
 version = "2.2.2"
@@ -2737,6 +2789,16 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
index 821f0e30..521977cb 100644
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@@ -55,7 +55,7 @@ getrandom = {version="0.2", features=["js"]}
 
 [dev-dependencies]
 criterion = "0.3"
-oxhttp = { version = "^0.1.2", features = ["native-tls"] }
+oxhttp = "0.1"
 sophia_api = { version = "0.7", features = ["test_macro"] }
 zstd = "0.9"
 
diff --git a/python/Cargo.toml b/python/Cargo.toml
index 55b69010..6e48e47e 100644
--- a/python/Cargo.toml
+++ b/python/Cargo.toml
@@ -16,10 +16,10 @@ name = "pyoxigraph"
 doctest = false
 
 [dependencies]
-oxigraph = {version = "0.3.0-dev", path="../lib", features = ["http_client"]}
-pyo3 = {version = "0.15", features = ["extension-module", "abi3-py36"]}
-native-tls = "0.2"
-openssl-src = { version = "111.16.0+1.1.1l", optional = true }
+oxigraph = { version = "0.3.0-dev", path="../lib", features = ["http_client"] }
+pyo3 = { version = "0.15", features = ["extension-module", "abi3-py36"] }
+oxhttp = "0.1"
 
 [features]
-vendored = ["native-tls/vendored", "openssl-src"]
\ No newline at end of file
+default = ["oxhttp/native-tls"]
+vendored = ["oxhttp/rustls"]
diff --git a/server/Cargo.toml b/server/Cargo.toml
index 012f479b..837adb69 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -12,7 +12,7 @@ Oxigraph SPARQL HTTP server
 edition = "2021"
 
 [dependencies]
-oxhttp = "0.1"
+oxhttp = { version = "0.1", features = ["native-tls"] }
 clap = "2"
 oxigraph = { version = "0.3.0-dev", path = "../lib", features = ["http_client"] }
 rand = "0.8"