Mirrors/sqlx
2
0
Fork 0
mirror of https://github.com/launchbadge/sqlx synced 2024-11-10 06:24:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Upgrade rustls to 0.20 (#1505)

Browse source 
* Upgrade rustls to 0.20

* Rustls 0.20.1 is out

* Fix merge conflict mistake

* Bump rustls-pemfile to 0.3

* Resync Cargo.lock

* Bump rustls-pemfile to v1

Co-authored-by: Austin Bonander <austin@launchbadge.com>
This commit is contained in:
Paolo Barbolini 2022-04-15 00:11:17 +02:00 committed by GitHub
parent a97208c016
commit 08296a28a0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 100 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
Cargo.lock generated
View file

@ -170,17 +170,6 @@ dependencies = [
"winapi", "winapi",
] ]
[[package]]
name = "async-rustls"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c86f33abd5a4f3e2d6d9251a9e0c6a7e52eb1113caf893dae8429bf4a53f378"
dependencies = [
"futures-lite",
"rustls",
"webpki",
]
[[package]] [[package]]
name = "async-std" name = "async-std"
version = "1.10.0" version = "1.10.0"
@ -954,6 +943,17 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "futures-rustls"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e01fe9932a224b72b45336d96040aa86386d674a31d0af27d800ea7bc8ca97fe"
dependencies = [
"futures-io",
"rustls",
"webpki",
]
[[package]] [[package]]
name = "futures-sink" name = "futures-sink"
version = "0.3.19" version = "0.3.19"
@ -2080,17 +2080,25 @@ dependencies = [
[[package]] [[package]]
name = "rustls" name = "rustls"
version = "0.19.1" version = "0.20.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921"
dependencies = [ dependencies = [
"base64",
"log", "log",
"ring", "ring",
"sct", "sct",
"webpki", "webpki",
] ]
[[package]]
name = "rustls-pemfile"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e7522c9de787ff061458fe9a829dc790a3f5b22dc571694fc5883f448b94d9a9"
dependencies = [
"base64",
]
[[package]] [[package]]
name = "rustyline" name = "rustyline"
version = "6.3.0" version = "6.3.0"
@ -2143,9 +2151,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]] [[package]]
name = "sct" name = "sct"
version = "0.6.1" version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
dependencies = [ dependencies = [
"ring", "ring",
"untrusted", "untrusted",
@ -2450,6 +2458,7 @@ dependencies = [
"rsa", "rsa",
"rust_decimal", "rust_decimal",
"rustls", "rustls",
"rustls-pemfile",
"serde", "serde",
"serde_json", "serde_json",
"sha-1", "sha-1",
@ -2465,7 +2474,6 @@ dependencies = [
"tokio-stream", "tokio-stream",
"url", "url",
"uuid", "uuid",
"webpki",
"webpki-roots", "webpki-roots",
"whoami", "whoami",
] ]
@ -2566,8 +2574,8 @@ version = "0.5.12"
dependencies = [ dependencies = [
"actix-rt", "actix-rt",
"async-native-tls", "async-native-tls",
"async-rustls",
"async-std", "async-std",
"futures-rustls",
"native-tls", "native-tls",
"once_cell", "once_cell",
"tokio", "tokio",
@ -2898,9 +2906,9 @@ dependencies = [
[[package]] [[package]]
name = "tokio-rustls" name = "tokio-rustls"
version = "0.22.0" version = "0.23.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" checksum = "4151fda0cf2798550ad0b34bcfc9b9dcc2a9d2471c895c68f3a8818e54f2389e"
dependencies = [ dependencies = [
"rustls", "rustls",
"tokio", "tokio",
@ -3145,9 +3153,9 @@ dependencies = [
[[package]] [[package]]
name = "webpki" name = "webpki"
version = "0.21.4" version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
dependencies = [ dependencies = [
"ring", "ring",
"untrusted", "untrusted",
@ -3155,9 +3163,9 @@ dependencies = [
[[package]] [[package]]
name = "webpki-roots" name = "webpki-roots"
version = "0.21.1" version = "0.22.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" checksum = "552ceb903e957524388c4d3475725ff2c8b7960922063af6ce53c9a43da07449"
dependencies = [ dependencies = [
"webpki", "webpki",
] ]

8
sqlx-core/Cargo.toml
View file

@ -94,7 +94,7 @@ _rt-actix = ["tokio-stream"]
_rt-async-std = [] _rt-async-std = []
_rt-tokio = ["tokio-stream"] _rt-tokio = ["tokio-stream"]
_tls-native-tls = [] _tls-native-tls = []
_tls-rustls = ["rustls", "webpki", "webpki-roots"] _tls-rustls = ["rustls", "rustls-pemfile", "webpki-roots"]
# support offline/decoupled building (enables serialization of `Describe`) # support offline/decoupled building (enables serialization of `Describe`)
offline = ["serde", "either/serde"] offline = ["serde", "either/serde"]
@ -147,7 +147,8 @@ percent-encoding = "2.1.0"
rand = { version = "0.8.4", default-features = false, optional = true, features = ["std", "std_rng"] } rand = { version = "0.8.4", default-features = false, optional = true, features = ["std", "std_rng"] }
regex = { version = "1.5.5", optional = true } regex = { version = "1.5.5", optional = true }
rsa = { version = "0.6.0", optional = true } rsa = { version = "0.6.0", optional = true }
rustls = { version = "0.19.1", features = ["dangerous_configuration"], optional = true } rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true }
rustls-pemfile = { version = "1.0", optional = true }
serde = { version = "1.0.132", features = ["derive", "rc"], optional = true } serde = { version = "1.0.132", features = ["derive", "rc"], optional = true }
serde_json = { version = "1.0.73", features = ["raw_value"], optional = true } serde_json = { version = "1.0.73", features = ["raw_value"], optional = true }
sha-1 = { version = "0.10.0", default-features = false, optional = true } sha-1 = { version = "0.10.0", default-features = false, optional = true }
@ -159,8 +160,7 @@ tokio-stream = { version = "0.1.8", features = ["fs"], optional = true }
smallvec = "1.7.0" smallvec = "1.7.0"
url = { version = "2.2.2", default-features = false } url = { version = "2.2.2", default-features = false }
uuid = { version = "0.8.2", default-features = false, optional = true, features = ["std"] } uuid = { version = "0.8.2", default-features = false, optional = true, features = ["std"] }
webpki = { version = "0.21.4", optional = true } webpki-roots = { version = "0.22.0", optional = true }
webpki-roots = { version = "0.21.1", optional = true }
whoami = { version = "1.2.1", optional = true } whoami = { version = "1.2.1", optional = true }
stringprep = "0.1.2" stringprep = "0.1.2"
bstr = { version = "0.2.17", default-features = false, features = ["std"], optional = true } bstr = { version = "0.2.17", default-features = false, features = ["std"], optional = true }

8
sqlx-core/src/error.rs
View file

@ -253,14 +253,6 @@ impl From<sqlx_rt::native_tls::Error> for Error {
} }
} }
#[cfg(feature = "_tls-rustls")]
impl From<webpki::InvalidDNSNameError> for Error {
#[inline]
fn from(error: webpki::InvalidDNSNameError) -> Self {
Error::Tls(Box::new(error))
}
}
// Format an error message as a `Protocol` error // Format an error message as a `Protocol` error
macro_rules! err_protocol { macro_rules! err_protocol {
($expr:expr) => { ($expr:expr) => {

3
sqlx-core/src/net/tls/mod.rs
View file

@ -1,5 +1,6 @@
#![allow(dead_code)] #![allow(dead_code)]
use std::convert::TryFrom;
use std::io; use std::io;
use std::ops::{Deref, DerefMut}; use std::ops::{Deref, DerefMut};
use std::path::PathBuf; use std::path::PathBuf;
@ -104,7 +105,7 @@ where
}; };
#[cfg(feature = "_tls-rustls")] #[cfg(feature = "_tls-rustls")]
let host = webpki::DNSNameRef::try_from_ascii_str(host)?; let host = ::rustls::ServerName::try_from(host).map_err(|err| Error::Tls(err.into()))?;
*self = MaybeTlsStream::Tls(connector.connect(host, stream).await?); *self = MaybeTlsStream::Tls(connector.connect(host, stream).await?);

87
sqlx-core/src/net/tls/rustls.rs
View file

@ -1,11 +1,11 @@
use crate::net::CertificateInput; use crate::net::CertificateInput;
use rustls::{ use rustls::{
Certificate, ClientConfig, RootCertStore, ServerCertVerified, ServerCertVerifier, TLSError, client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier},
WebPKIVerifier, ClientConfig, Error as TlsError, OwnedTrustAnchor, RootCertStore, ServerName,
}; };
use std::io::Cursor; use std::io::Cursor;
use std::sync::Arc; use std::sync::Arc;
use webpki::DNSNameRef; use std::time::SystemTime;
use crate::error::Error; use crate::error::Error;
@ -14,32 +14,47 @@ pub async fn configure_tls_connector(
accept_invalid_hostnames: bool, accept_invalid_hostnames: bool,
root_cert_path: Option<&CertificateInput>, root_cert_path: Option<&CertificateInput>,
) -> Result<sqlx_rt::TlsConnector, Error> { ) -> Result<sqlx_rt::TlsConnector, Error> {
let mut config = ClientConfig::new(); let config = ClientConfig::builder().with_safe_defaults();
if accept_invalid_certs { let config = if accept_invalid_certs {
config config
.dangerous() .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
.set_certificate_verifier(Arc::new(DummyTlsVerifier)); .with_no_client_auth()
} else { } else {
config let mut cert_store = RootCertStore::empty();
.root_store cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS); OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}));
if let Some(ca) = root_cert_path { if let Some(ca) = root_cert_path {
let data = ca.data().await?; let data = ca.data().await?;
let mut cursor = Cursor::new(data); let mut cursor = Cursor::new(data);
config
.root_store for cert in rustls_pemfile::certs(&mut cursor)
.add_pem_file(&mut cursor) .map_err(|_| Error::Tls(format!("Invalid certificate {}", ca).into()))?
.map_err(|_| Error::Tls(format!("Invalid certificate {}", ca).into()))?; {
cert_store
.add(&rustls::Certificate(cert))
.map_err(|err| Error::Tls(err.into()))?;
}
} }
if accept_invalid_hostnames { if accept_invalid_hostnames {
let verifier = WebPkiVerifier::new(cert_store, None);
config config
.dangerous() .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier }))
.set_certificate_verifier(Arc::new(NoHostnameTlsVerifier)); .with_no_client_auth()
} } else {
config
.with_root_certificates(cert_store)
.with_no_client_auth()
} }
};
Ok(Arc::new(config).into()) Ok(Arc::new(config).into())
} }
@ -49,28 +64,42 @@ struct DummyTlsVerifier;
impl ServerCertVerifier for DummyTlsVerifier { impl ServerCertVerifier for DummyTlsVerifier {
fn verify_server_cert( fn verify_server_cert(
&self, &self,
_roots: &RootCertStore, _end_entity: &rustls::Certificate,
_presented_certs: &[Certificate], _intermediates: &[rustls::Certificate],
_dns_name: DNSNameRef<'_>, _server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_ocsp_response: &[u8], _ocsp_response: &[u8],
) -> Result<ServerCertVerified, TLSError> { _now: SystemTime,
) -> Result<ServerCertVerified, TlsError> {
Ok(ServerCertVerified::assertion()) Ok(ServerCertVerified::assertion())
} }
} }
pub struct NoHostnameTlsVerifier; pub struct NoHostnameTlsVerifier {
verifier: WebPkiVerifier,
}
impl ServerCertVerifier for NoHostnameTlsVerifier { impl ServerCertVerifier for NoHostnameTlsVerifier {
fn verify_server_cert( fn verify_server_cert(
&self, &self,
roots: &RootCertStore, end_entity: &rustls::Certificate,
presented_certs: &[Certificate], intermediates: &[rustls::Certificate],
dns_name: DNSNameRef<'_>, server_name: &ServerName,
scts: &mut dyn Iterator<Item = &[u8]>,
ocsp_response: &[u8], ocsp_response: &[u8],
) -> Result<ServerCertVerified, TLSError> { now: SystemTime,
let verifier = WebPKIVerifier::new(); ) -> Result<ServerCertVerified, TlsError> {
match verifier.verify_server_cert(roots, presented_certs, dns_name, ocsp_response) { match self.verifier.verify_server_cert(
Err(TLSError::WebPKIError(webpki::Error::CertNotValidForName)) => { end_entity,
intermediates,
server_name,
scts,
ocsp_response,
now,
) {
Err(TlsError::InvalidCertificateData(reason))
if reason.contains("CertNotValidForName") =>
{
Ok(ServerCertVerified::assertion()) Ok(ServerCertVerified::assertion())
} }
res => res, res => res,

6
sqlx-rt/Cargo.toml
View file

@ -20,7 +20,7 @@ runtime-async-std-native-tls = [
runtime-tokio-native-tls = ["_rt-tokio", "_tls-native-tls", "tokio-native-tls"] runtime-tokio-native-tls = ["_rt-tokio", "_tls-native-tls", "tokio-native-tls"]
runtime-actix-rustls = ["_rt-actix", "_tls-rustls", "tokio-rustls"] runtime-actix-rustls = ["_rt-actix", "_tls-rustls", "tokio-rustls"]
runtime-async-std-rustls = ["_rt-async-std", "_tls-rustls", "async-rustls"] runtime-async-std-rustls = ["_rt-async-std", "_tls-rustls", "futures-rustls"]
runtime-tokio-rustls = ["_rt-tokio", "_tls-rustls", "tokio-rustls"] runtime-tokio-rustls = ["_rt-tokio", "_tls-rustls", "tokio-rustls"]
# Not used directly and not re-exported from sqlx # Not used directly and not re-exported from sqlx
@ -32,11 +32,11 @@ _tls-rustls = []
[dependencies] [dependencies]
async-native-tls = { version = "0.3.3", optional = true } async-native-tls = { version = "0.3.3", optional = true }
async-rustls = { version = "0.2.0", optional = true } futures-rustls = { version = "0.22.0", optional = true }
actix-rt = { version = "2.0.0", default-features = false, optional = true } actix-rt = { version = "2.0.0", default-features = false, optional = true }
async-std = { version = "1.7.0", features = ["unstable"], optional = true } async-std = { version = "1.7.0", features = ["unstable"], optional = true }
tokio-native-tls = { version = "0.3.0", optional = true } tokio-native-tls = { version = "0.3.0", optional = true }
tokio-rustls = { version = "0.22.0", optional = true } tokio-rustls = { version = "0.23.0", optional = true }
native-tls = { version = "0.2.4", optional = true } native-tls = { version = "0.2.4", optional = true }
once_cell = { version = "1.4", features = ["std"], optional = true } once_cell = { version = "1.4", features = ["std"], optional = true }

2
sqlx-rt/src/lib.rs
View file

@ -193,4 +193,4 @@ pub use async_native_tls::{TlsConnector, TlsStream};
feature = "_rt-actix" feature = "_rt-actix"
)), )),
))] ))]
pub use async_rustls::{client::TlsStream, TlsConnector}; pub use futures_rustls::{client::TlsStream, TlsConnector};