use tls.zig with async client

see https://github.com/ziglang/zig/compare/master...ianic:zig:tls23 for
http.std.Client integration

.gitmodules

@@ -22,3 +22,6 @@
 [submodule "vendor/mimalloc"]
 	path = vendor/mimalloc
 	url = git@github.com:microsoft/mimalloc.git
+[submodule "vendor/tls.zig"]
+	path = vendor/tls.zig
+	url = git@github.com:ianic/tls.zig.git

build.zig

@@ -179,6 +179,11 @@ fn common(
     const netsurf = moduleNetSurf(b);
     netsurf.addImport("jsruntime", jsruntimemod);
     step.root_module.addImport("netsurf", netsurf);
+
+    const tlsmod = b.addModule("tls", .{
+        .root_source_file = b.path("vendor/tls.zig/src/main.zig"),
+    });
+    step.root_module.addImport("tls", tlsmod);
 }
 
 fn moduleNetSurf(b: *std.Build) *std.Build.Module {

src/async/Client.zig

@@ -35,7 +35,9 @@ const assert = std.debug.assert;
 const use_vectors = builtin.zig_backend != .stage2_x86_64;
 
 const Client = @This();
-const proto = http.protocol;
+const proto = std.http.protocol;
+
+const tls23 = @import("tls");
 
 const Loop = @import("jsruntime").Loop;
 const tcp = @import("tcp.zig");
@@ -217,7 +219,7 @@ pub const ConnectionPool = struct {
 pub const Connection = struct {
     stream: Stream,
     /// undefined unless protocol is tls.
-    tls_client: if (!disable_tls) *std.crypto.tls.Client else void,
+    tls_client: if (!disable_tls) *tls23.Connection(Stream) else void,
 
     /// The protocol that this connection is using.
     protocol: Protocol,
@@ -246,12 +248,12 @@ pub const Connection = struct {
     pub const Protocol = enum { plain, tls };
 
     pub fn readvDirectTls(conn: *Connection, buffers: []std.posix.iovec) ReadError!usize {
-        return conn.tls_client.readv(conn.stream, buffers) catch |err| {
+        return conn.tls_client.readv(buffers) catch |err| {
             // https://github.com/ziglang/zig/issues/2473
             if (mem.startsWith(u8, @errorName(err), "TlsAlert")) return error.TlsAlert;
 
             switch (err) {
-                error.TlsConnectionTruncated, error.TlsRecordOverflow, error.TlsDecodeError, error.TlsBadRecordMac, error.TlsBadLength, error.TlsIllegalParameter, error.TlsUnexpectedMessage => return error.TlsFailure,
+                error.TlsRecordOverflow, error.TlsBadRecordMac, error.TlsUnexpectedMessage => return error.TlsFailure,
                 error.ConnectionTimedOut => return error.ConnectionTimedOut,
                 error.ConnectionResetByPeer, error.BrokenPipe => return error.ConnectionResetByPeer,
                 else => return error.UnexpectedReadFailure,
@@ -344,7 +346,7 @@ pub const Connection = struct {
     }
 
     pub fn writeAllDirectTls(conn: *Connection, buffer: []const u8) WriteError!void {
-        return conn.tls_client.writeAll(conn.stream, buffer) catch |err| switch (err) {
+        return conn.tls_client.writeAll(buffer) catch |err| switch (err) {
             error.BrokenPipe, error.ConnectionResetByPeer => return error.ConnectionResetByPeer,
             else => return error.UnexpectedWriteFailure,
         };
@@ -412,7 +414,7 @@ pub const Connection = struct {
             if (disable_tls) unreachable;
 
             // try to cleanly close the TLS connection, for any server that cares.
-            _ = conn.tls_client.writeEnd(conn.stream, "", true) catch {};
+            conn.tls_client.close() catch {};
             allocator.destroy(conn.tls_client);
         }
 
@@ -1376,13 +1378,13 @@ pub fn connectTcp(client: *Client, host: []const u8, port: u16, protocol: Connec
     if (protocol == .tls) {
         if (disable_tls) unreachable;
 
-        conn.data.tls_client = try client.allocator.create(std.crypto.tls.Client);
+        conn.data.tls_client = try client.allocator.create(tls23.Connection(Stream));
         errdefer client.allocator.destroy(conn.data.tls_client);
 
-        conn.data.tls_client.* = std.crypto.tls.Client.init(stream, client.ca_bundle, host) catch return error.TlsInitializationFailed;
-        // This is appropriate for HTTPS because the HTTP headers contain
-        // the content length which is used to detect truncation attacks.
-        conn.data.tls_client.allow_truncation_attacks = true;
+        conn.data.tls_client.* = tls23.client(stream, .{
+            .host = host,
+            .root_ca = client.ca_bundle,
+        }) catch return error.TlsInitializationFailed;
     }
 
     client.connection_pool.addUsed(conn);

src/browser/browser.zig

@@ -37,7 +37,7 @@ const Walker = @import("../dom/walker.zig").WalkerDepthFirst;
 
 const storage = @import("../storage/storage.zig");
 
-const FetchResult = std.http.Client.FetchResult;
+const FetchResult = @import("../http/Client.zig").Client.FetchResult;
 
 const UserContext = @import("../user_context.zig").UserContext;
 const HttpClient = @import("../async/Client.zig");

src/browser/loader.zig

@@ -17,17 +17,18 @@
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 const std = @import("std");
+const Client = @import("../http/Client.zig");
 
 const user_agent = "Lightpanda.io/1.0";
 
 pub const Loader = struct {
-    client: std.http.Client,
+    client: Client,
     // use 16KB for headers buffer size.
     server_header_buffer: [1024 * 16]u8 = undefined,
 
     pub const Response = struct {
         alloc: std.mem.Allocator,
-        req: *std.http.Client.Request,
+        req: *Client.Request,
 
         pub fn deinit(self: *Response) void {
             self.req.deinit();
@@ -37,7 +38,7 @@ pub const Loader = struct {
 
     pub fn init(alloc: std.mem.Allocator) Loader {
         return Loader{
-            .client = std.http.Client{
+            .client = Client{
                 .allocator = alloc,
             },
         };
@@ -54,7 +55,7 @@ pub const Loader = struct {
     pub fn get(self: *Loader, alloc: std.mem.Allocator, uri: std.Uri) !Response {
         var resp = Response{
             .alloc = alloc,
-            .req = try alloc.create(std.http.Client.Request),
+            .req = try alloc.create(Client.Request),
         };
         errdefer alloc.destroy(resp.req);