[refactor] #3422: remove the misplaced openssl-sys dependency from …

…`iroha_crypto` and introduce configurable tls backends to `iroha_client`

openssl-sys was previously added to `iroh_crypto` to allow static builds of openssl with musl libc.

This was somewhat a kludge though, as `iroha_crypto` does not depend on `openssl` (or at least it stopped depending on it after removing `ursa` dependency).

It was used, however, in the client to allow connecting to iroha nodes via HTTPS.

This commit gives the user more freedom in choosing their TLS implementation by providing four features: `tls-native`, `tls-native-vendored`, `tls-rustls-native-roots` and `tls-rustls-webpki-roots`, which mirror corresponding features of `attohttpc` and `tokio-tungstenite`.

Unlike previously, none of the TLS implementations are enabled by default, which is a breaking change

Signed-off-by: Nikita Strygin <[email protected]>

Dockerfile

@@ -28,7 +28,7 @@ ENV CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=/x86_64-linux-musl-native/bin/
 # builder stage
 WORKDIR /iroha
 COPY . .
-RUN cargo build --target x86_64-unknown-linux-musl --features vendored --profile deploy
+RUN cargo build --target x86_64-unknown-linux-musl --profile deploy
 
 
 # final image

client/Cargo.toml

@@ -22,6 +22,24 @@ is-it-maintained-issue-resolution = { repository = "https://github.com/hyperledg
 is-it-maintained-open-issues = { repository = "https://github.com/hyperledger/iroha" }
 maintenance = { status = "actively-developed" }
 
+[features]
+tls-native = [
+    "attohttpc/tls-native",
+    "tokio-tungstenite/native-tls",
+]
+tls-native-vendored = [
+    "attohttpc/tls-native-vendored",
+    "tokio-tungstenite/native-tls-vendored",
+]
+tls-rustls-native-roots = [
+    "attohttpc/tls-rustls-native-roots",
+    "tokio-tungstenite/rustls-tls-native-roots",
+]
+tls-rustls-webpki-roots = [
+    "attohttpc/tls-rustls-webpki-roots",
+    "tokio-tungstenite/rustls-tls-webpki-roots",
+]
+
 [dependencies]
 iroha_config = { workspace = true }
 iroha_crypto = { workspace = true }
@@ -31,7 +49,7 @@ iroha_logger = { workspace = true }
 iroha_telemetry = { workspace = true }
 iroha_version = { workspace = true, features = ["http"] }
 
-attohttpc = "0.26.1"
+attohttpc = { version = "0.26.1", default-features = false }
 eyre = { workspace = true }
 http = "0.2.9"
 url = { workspace = true }
@@ -44,7 +62,7 @@ displaydoc = { workspace = true }
 derive_more = { workspace = true }
 parity-scale-codec = { workspace = true, default-features = false, features = ["derive"] }
 tokio = { workspace = true, features = ["rt"] }
-tokio-tungstenite = { workspace = true, features = ["native-tls"] }
+tokio-tungstenite = { workspace = true }
 futures-util = "0.3.28"
 
 [dev-dependencies]

client_cli/Cargo.toml

@@ -23,7 +23,7 @@ is-it-maintained-open-issues = { repository = "https://github.com/hyperledger/ir
 maintenance = { status = "actively-developed" }
 
 [dependencies]
-iroha_client = { workspace = true }
+iroha_client = { workspace = true, features = ["tls-rustls-native-roots"] }
 iroha_data_model = { workspace = true }
 iroha_primitives = { workspace = true }
 iroha_crypto = { workspace = true }

crypto/Cargo.toml

@@ -36,8 +36,6 @@ std = [
     "dep:thiserror",
     "displaydoc/std",
 ]
-# Force static linking
-vendored = ["dep:openssl-sys"]
 # Replace structures and methods with FFI equivalents to facilitate dynamic linkage (mainly used in smartcontracts)
 #ffi_import = ["iroha_ffi", "iroha_primitives/ffi_import"]
 
@@ -55,9 +53,6 @@ parity-scale-codec = { workspace = true, features = ["derive", "full"] }
 serde = { workspace = true, features = ["derive"] }
 serde_with = { workspace = true, features = ["macros"] }
 hex = { workspace = true, features = ["alloc", "serde"] }
-# TODO: iroha_crypto no longer depends on openssl (did it ever?)
-# currently it's being used by iroha_client through attohttpc and iroha_cli through warp's tokeio-tunstenite
-openssl-sys = { version = "0.9.93", features = ["vendored"], optional = true }
 getset = { workspace = true }
 
 thiserror = { version = "1.0.50", optional = true }
@@ -96,4 +91,4 @@ serde_json = { workspace = true }
 # but to test some of the primitives against them
 secp256k1 = { version = "0.28.0", features = ["rand", "serde"] }
 libsodium-sys-stable = "1.20.3"
-openssl = "0.10.59"
+openssl = { version = "0.10.59", features = ["vendored"] }

docs/source/guides/hot-reload.md

@@ -7,15 +7,14 @@ Here is the overall procedure for hot reloading Iroha in a Docker container:
     To avoid issues with dynamic linking, run:
 
     ```bash
-    cargo build --release --target x86_64-unknown-linux-musl --features "vendored"
+    cargo build --release --target x86_64-unknown-linux-musl
     ```
 
     <details> <summary> An explanation for using `cargo build` with these parameters. </summary>
 
     You may experience an issue with dynamic linking if your host OS has a newer version of `glibc` compared to the one in the Docker container. The options used in the command above resolve the issue:
 
     - `--target x86_64-unknown-linux-musl` forces static linking against `musl` libc implementation
-    - `--features "vendored"` facilitates static linkage of the `openssl` library
 
     </details>