refactor!: consolidate rustls forks via [patch.crates-io]

Cargo.toml

@@ -44,3 +44,7 @@ unexpected_cfgs = { level = "warn", check-cfg = ['cfg(docker_test)', 'cfg(throug
 [workspace.lints.clippy]
 redundant_clone = "deny"
 needless_collect = "deny"
+
+[patch.crates-io]
+rustls = { git = "https://github.com/Watfaq/rustls.git", branch = "watfaq/0.23.40" }
+tokio-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", branch = "watfaq/0.26.4" }

clash-lib/Cargo.toml

@@ -10,23 +10,21 @@ default = ["zero_copy", "aws-lc-rs", "dashboard"]
 aws-lc-rs = [
     "dep:aws-lc-rs",
     "rustls/aws-lc-rs",
-    "watfaq-rustls/aws-lc-rs",
     "quinn-proto/rustls-aws-lc-rs",
-    "watfaq-dns/aws-lc-rs",
     "russh/aws-lc-rs",
     "boringtun/aws-lc-rs",
     "hickory-client/https-aws-lc-rs",
     "tuic-quinn?/rustls-aws-lc-rs",
+    "watfaq-dns/aws-lc-rs",
 ]
 ring = [
     "rustls/ring",
-    "watfaq-rustls/ring",
     "quinn-proto/ring",
-    "watfaq-dns/ring",
     "russh/ring",
     "boringtun/ring",
     "hickory-client/https-ring",
     "tuic-quinn?/rustls-ring",
+    "watfaq-dns/ring",
 ]
 
 # Protos
@@ -75,10 +73,6 @@ rustls-pemfile = "2"
 rcgen = { version = "0.14", features = ["pem"] }
 webpki-roots = "1.0"
 
-# shadow-tls
-tokio-watfaq-rustls = { git = "https://github.com/Watfaq/tokio-rustls.git", rev = "cf8961ac1a36e580d0e38bedc8a41ca4a9b301e8", default-features = false, features = ["logging", "tls12"] }
-watfaq-rustls = { git = "https://github.com/Watfaq/rustls.git", rev = "c3ab043d673029d245fd618b9bc86fd6a6109bae", default-features = false }
-
 # Error handing & logging
 thiserror = "2"
 anyhow = "1"

clash-lib/src/lib.rs

@@ -221,19 +221,10 @@ pub fn setup_default_crypto_provider() {
         #[cfg(feature = "aws-lc-rs")]
         {
             _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
-            // watfaq-rustls is a separate fork with its own global provider
-            // state. When both `ring` and `aws-lc-rs` features are active
-            // (e.g. `--all-features`), its
-            // `get_default_or_install_from_crate_features` treats the
-            // combination as ambiguous and returns None, causing a
-            // panic. Explicit installation is therefore required.
-            _ = watfaq_rustls::crypto::aws_lc_rs::default_provider()
-                .install_default();
         }
         #[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
         {
             _ = rustls::crypto::ring::default_provider().install_default();
-            _ = watfaq_rustls::crypto::ring::default_provider().install_default();
         }
     });
 }

clash-lib/src/proxy/transport/reality.rs

@@ -1,8 +1,8 @@
 use async_trait::async_trait;
-use tokio_watfaq_rustls::{TlsConnector, client::TlsStream};
-use watfaq_rustls::{
+use rustls::{
     ClientConfig, RootCertStore, client::RealityConfig, pki_types::ServerName,
 };
+use tokio_rustls::{TlsConnector, client::TlsStream};
 
 use std::{
     io,

clash-lib/src/proxy/transport/shadow_tls/mod.rs

@@ -1,31 +1,22 @@
 use async_trait::async_trait;
 use rand::{RngExt, distr::Distribution};
-use std::{
-    io,
-    ptr::copy_nonoverlapping,
-    sync::{Arc, LazyLock},
-};
+use std::{io, ptr::copy_nonoverlapping, sync::Arc};
 use stream::{ProxyTlsStream, VerifiedStream};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
-use tokio_watfaq_rustls::{TlsConnector, client::TlsStream};
+use tokio_rustls::{TlsConnector, client::TlsStream};
 use utils::Hmac;
 
 mod prelude;
 mod stream;
 mod utils;
 
 use super::Transport;
-use crate::{common::errors::map_io_error, proxy::AnyStream};
+use crate::{
+    common::{errors::map_io_error, tls::GLOBAL_ROOT_STORE},
+    proxy::AnyStream,
+};
 use prelude::*;
 
-static ROOT_STORE: LazyLock<Arc<watfaq_rustls::RootCertStore>> =
-    LazyLock::new(root_store);
-
-fn root_store() -> Arc<watfaq_rustls::RootCertStore> {
-    let root_store = webpki_roots::TLS_SERVER_ROOTS.iter().cloned().collect();
-    Arc::new(root_store)
-}
-
 pub struct Client {
     host: String,
     password: String,
@@ -49,14 +40,18 @@ impl Client {
 
         // handshake
         let hamc_handshake = Hmac::new(&self.password, (&[], &[]));
-        let sni_name =
-            watfaq_rustls::pki_types::ServerName::try_from(self.host.clone())
-                .map_err(map_io_error)?;
+        let sni_name = rustls::pki_types::ServerName::try_from(self.host.clone())
+            .map_err(map_io_error)?;
         let session_id_generator =
             move |data: &_| generate_session_id(&hamc_handshake, data);
         let connector = new_connector();
         let mut tls = connector
-            .connect_with(sni_name, proxy_stream, Some(session_id_generator), |_| {})
+            .connect_with_session_id_generator(
+                sni_name,
+                proxy_stream,
+                Some(session_id_generator),
+                |_| {},
+            )
             .await?;
 
         // check if is authorized
@@ -120,8 +115,8 @@ impl Transport for Client {
 }
 
 fn new_connector() -> TlsConnector {
-    let tls_config = watfaq_rustls::ClientConfig::builder()
-        .with_root_certificates(ROOT_STORE.clone())
+    let tls_config = rustls::ClientConfig::builder()
+        .with_root_certificates(GLOBAL_ROOT_STORE.clone())
         .with_no_client_auth();
 
     TlsConnector::from(Arc::new(tls_config))

clash-lib/src/proxy/transport/splice_tls.rs

@@ -20,7 +20,7 @@ use tracing::debug;
 
 use crate::proxy::AnyStream;
 
-pub type RealityTlsStream = tokio_watfaq_rustls::client::TlsStream<AnyStream>;
+pub type RealityTlsStream = tokio_rustls::client::TlsStream<AnyStream>;
 
 /// Options passed to `VisionStream` when XTLS-splice mode is active.
 ///