From 41ec380b55c98222f7afbfd2d74f43cbc8a49373 Mon Sep 17 00:00:00 2001
From: bjoern <r10s@b44t.com>
Date: Sun, 17 Oct 2021 14:28:34 +0200
Subject: [PATCH] add let's encrypt certificate missing on some older android
 devices (#2752)

* add let's encrypt certificate missing on some older android devices

* create Certificate with Lazy::new()

* document certificate source

* use smaller *.der format instead of *.pem
---
 .../letsencrypt/isrgrootx1.der                | Bin 0 -> 1391 bytes
 src/login_param.rs                            |  23 +++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 assets/root-certificates/letsencrypt/isrgrootx1.der

diff --git a/assets/root-certificates/letsencrypt/isrgrootx1.der b/assets/root-certificates/letsencrypt/isrgrootx1.der
new file mode 100644
index 0000000000000000000000000000000000000000..9d2132e7f1e352fabac7eafb231488b5da91ffb2
GIT binary patch
literal 1391
zcmXqLV$C*aVh&!w%*4pVB*@StaDKxjhsTjF$q#lXH+3@@@Un4gwRyCC=VfH%W@Rw&
zH{>?pWMd9xVH0Kw4K~y?PzQ0igcUsVN>YpRQcDzqQ<F=JGD|8If>Mi96N{2F6x@sQ
zOA8D|4TM2TnT2^ggM-`^g7WiA6e0`_<ivRmO%2QpObiVTOpGm}#CeU8xzx9?iAf3B
zQ;e((%uP)E3<gb1Tue<&j0|gEs1$z@G5<V!o_4r~O#8k&+wWUU=*hEr7QUe3d+DJ?
z|GsABePi&~xP339Eyrc@wvEYuMTD~V%U^nBI9svqqOr{`kFR$t?{D7mU+AOaEboI|
zZH1X$X=yqAbv6b2*J>)UeSUJ_S;M+V-u>HW)=goaf7yL{%}fvF;1?F_{JHX*^)7mb
z_cWAjyQP1@qPLp4KvBB%lYz~z{&jb6C9i%h=6|S9(7WzD_ly5q%k{o&s`h%|Bc#ex
z(95j3;9;=J8{wPpB=-w!_Uf_kT$~tqZ%sS<lrPDJZ}cAJN6%<{*coF|nN#-OdO}j=
zv)fB%>8l;RAn=gy-c5l%vESRjulRoaDHHpQelw1#&mWmj<25Ut_nWV1qwMTG%s)L@
zZ#3Rz-J*5P@#PxEvZ-ABH|}5ED<p5KuOXguX~w}7oGImb?&iDBt%;1wm|I_Tt@9|G
zqo!S?-Ceb>DklY(M=kbokat@+bL(=ez`Qo=d9_8$g;*;h-`WLMh;lRc_g>Iv-DFqo
zCF5PpD)i^rs|NwXHO`YuHlHea-Y3t<alzn9bfMW6_FV@J3}QUCH(AeER-4eZXt8F~
znO%FES)>;=GdnK4#`;nE(6$dNYTB&bR(NQ2+$oz?wqHJLsjX!HYm3h*_fBZ@a%uek
ze*2NA(-ox)>ah<i|4BSA=veFb>}I#svAgPldH?sMd^L9VXJTe#U|j5E;9$T9Os}&1
zjEw(TSb({M&43@o7Y6ZJ4VZzHfh<UXk420{q;gB-v+8Y6pD-3TaCDrIium?&b{=vn
z17;myDq~~_m5*4tXVZ#+3p^WdNM$OhYjUhfERE^P`_c3?Q~&C>Fz=l^iUlGsD^9O_
z?o;@C)1`#9mMgeli7SS+ehlD?e0}ag<jY+rMc=p0?Qd!L_T=Tn33tS2CrP`0NSk`8
zCjZbY>-X~KPhVT7{&D4o6YKug*3J5*#Pa(8&H7gpwUsuC^Ywq~GKr43@rUtb$j%*V
zXSzC!JAHIpY?|)Bn-<QxOK11@BioPrSvT!7JfT!vJn7=0h9#Dk0>;WsJ~s2)HigcR
z-KW{sqcnToqipMNtEK|qJDkTmPjj*R=DdjQJNf?H>f^h&YWulf^SYpR=4sI>j;y6q
zAB!&hzU1vmo%p4{|F6+t(%W~vdiUeP>Iq_(+2h=TYs}f5dM+QCHs|Whty&MJN;P<_
z^RZ+<cgB55&{XYRJASXdWE@=kRMt25>cWl3o${YKsGG(t*4WP8`@Gk9!gJ;MzXRq}
z=D1zmBD#56Ufpb-X;wRebnUN2Km5&csO6u^ip8C`)?_`D(Av1dIWhXO{2lAwvQN4%
zdQ0z%8|T;t|E@mm82|syq6>)@52x)|6WeWmz4WT_ftiBq<~klMDs9=v<meQiuHrG}
z;%xPO?Dji%_&1gWKCIgQcCPZHeGjf`un5~2GS9nPmD7KWUE)~%J@-C)jd?6==a+_<
hl<$4hIs2u!^Zn@C@&Eed!WW%&m|K^mbnBjkIsk}=Sg-&9

literal 0
HcmV?d00001

diff --git a/src/login_param.rs b/src/login_param.rs
index c02a20978..560c8306e 100644
--- a/src/login_param.rs
+++ b/src/login_param.rs
@@ -11,8 +11,10 @@ use anyhow::Result;
 use async_std::io;
 use async_std::net::TcpStream;
 
+use async_native_tls::Certificate;
 pub use async_smtp::ServerAddress;
 use fast_socks5::client::Socks5Stream;
+use once_cell::sync::Lazy;
 
 #[derive(Copy, Clone, Debug, Display, FromPrimitive, PartialEq, Eq)]
 #[repr(u32)]
@@ -368,8 +370,18 @@ fn get_readable_flags(flags: i32) -> String {
     res
 }
 
+// this certificate is missing on older android devices (eg. lg with android6 from 2017)
+// certificate downloaded from https://letsencrypt.org/certificates/
+static LETSENCRYPT_ROOT: Lazy<Certificate> = Lazy::new(|| {
+    Certificate::from_der(include_bytes!(
+        "../assets/root-certificates/letsencrypt/isrgrootx1.der"
+    ))
+    .unwrap()
+});
+
 pub fn dc_build_tls(strict_tls: bool) -> async_native_tls::TlsConnector {
-    let tls_builder = async_native_tls::TlsConnector::new();
+    let tls_builder =
+        async_native_tls::TlsConnector::new().add_root_certificate(LETSENCRYPT_ROOT.clone());
 
     if strict_tls {
         tls_builder
@@ -430,4 +442,13 @@ mod tests {
         assert_eq!(param, loaded);
         Ok(())
     }
+
+    #[async_std::test]
+    async fn test_build_tls() -> Result<()> {
+        // we are using some additional root certificates.
+        // make sure, they do not break construction of TlsConnector
+        let _ = dc_build_tls(true);
+        let _ = dc_build_tls(false);
+        Ok(())
+    }
 }