From 624f28955416f50402357dfaa7a086bcf66eff5f Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Fri, 22 Oct 2021 17:14:07 +0200 Subject: [PATCH 1/6] Upgrade rustls to 0.20 --- Cargo.lock | 57 +++++++++++---------- Cargo.toml | 4 ++ sqlx-core/Cargo.toml | 8 +-- sqlx-core/src/error.rs | 8 --- sqlx-core/src/net/tls/mod.rs | 3 +- sqlx-core/src/net/tls/rustls.rs | 87 ++++++++++++++++++++++----------- sqlx-rt/Cargo.toml | 6 +-- sqlx-rt/src/lib.rs | 2 +- 8 files changed, 104 insertions(+), 71 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a954707b3d..6c9c320014 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -171,17 +171,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "async-rustls" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c86f33abd5a4f3e2d6d9251a9e0c6a7e52eb1113caf893dae8429bf4a53f378" -dependencies = [ - "futures-lite", - "rustls", - "webpki", -] - [[package]] name = "async-std" version = "1.9.0" @@ -937,6 +926,17 @@ dependencies = [ "syn", ] +[[package]] +name = "futures-rustls" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d383f0425d991a05e564c2f3ec150bd6dde863179c131dd60d8aa73a05434461" +dependencies = [ + "futures-io", + "rustls", + "webpki", +] + [[package]] name = "futures-sink" version = "0.3.15" @@ -2058,17 +2058,24 @@ dependencies = [ [[package]] name = "rustls" -version = "0.19.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +version = "0.20.0" +source = "git+https://github.com/rustls/rustls.git#05172d056ea77cd5d67edf5055909168a907f08b" dependencies = [ - "base64", "log", "ring", "sct", "webpki", ] +[[package]] +name = "rustls-pemfile" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +dependencies = [ + "base64", +] + [[package]] name = "rustyline" version = "6.3.0" @@ -2121,9 +2128,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "sct" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ "ring", "untrusted", @@ -2436,6 +2443,7 @@ dependencies = [ "rsa", "rust_decimal", "rustls", + "rustls-pemfile", "serde", "serde_json", "sha-1", @@ -2449,7 +2457,6 @@ dependencies = [ "tokio-stream", "url", "uuid", - "webpki", "webpki-roots", "whoami", ] @@ -2550,8 +2557,8 @@ version = "0.5.9" dependencies = [ "actix-rt", "async-native-tls", - "async-rustls", "async-std", + "futures-rustls", "native-tls", "once_cell", "tokio", @@ -2904,9 +2911,9 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.22.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +checksum = "d49194a46b06a69f2498a34a595ab4a9c1babd2642ffa3dbccf6c6778d1426f2" dependencies = [ "rustls", "tokio", @@ -3166,9 +3173,9 @@ dependencies = [ [[package]] name = "webpki" -version = "0.21.4" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" dependencies = [ "ring", "untrusted", @@ -3176,9 +3183,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "0.21.1" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" +checksum = "c475786c6f47219345717a043a37ec04cb4bc185e28853adcc4fa0a947eba630" dependencies = [ "webpki", ] diff --git a/Cargo.toml b/Cargo.toml index aab4f3b613..328495a55c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -151,6 +151,10 @@ serde = { version = "1.0.111", features = ["derive"] } serde_json = "1.0.53" url = "2.1.1" +[patch.crates-io] +# waiting for rustls 0.20.1 +rustls = { git = "https://github.com/rustls/rustls.git" } + # # Any # diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index 0abbb05db5..c0c100318d 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -93,7 +93,7 @@ _rt-actix = ["tokio-stream"] _rt-async-std = [] _rt-tokio = ["tokio-stream"] _tls-native-tls = [] -_tls-rustls = ["rustls", "webpki", "webpki-roots"] +_tls-rustls = ["rustls", "rustls-pemfile", "webpki-roots"] # support offline/decoupled building (enables serialization of `Describe`) offline = ["serde", "either/serde"] @@ -144,7 +144,8 @@ parking_lot = "0.11.0" rand = { version = "0.8.3", default-features = false, optional = true, features = ["std", "std_rng"] } regex = { version = "1.3.9", optional = true } rsa = { version = "0.4.0", optional = true } -rustls = { version = "0.19.0", features = ["dangerous_configuration"], optional = true } +rustls = { version = "0.20.0", features = ["dangerous_configuration"], optional = true } +rustls-pemfile = { version = "0.2.0", optional = true } serde = { version = "1.0.106", features = ["derive", "rc"], optional = true } serde_json = { version = "1.0.51", features = ["raw_value"], optional = true } sha-1 = { version = "0.9.0", default-features = false, optional = true } @@ -156,8 +157,7 @@ tokio-stream = { version = "0.1.2", features = ["fs"], optional = true } smallvec = "1.4.0" url = { version = "2.1.1", default-features = false } uuid = { version = "0.8.1", default-features = false, optional = true, features = ["std"] } -webpki = { version = "0.21.0", optional = true } -webpki-roots = { version = "0.21.0", optional = true } +webpki-roots = { version = "0.22.0", optional = true } whoami = "1.0.1" stringprep = "0.1.2" bstr = { version = "0.2.14", default-features = false, features = ["std"], optional = true } diff --git a/sqlx-core/src/error.rs b/sqlx-core/src/error.rs index 6a152520db..302ba69cf3 100644 --- a/sqlx-core/src/error.rs +++ b/sqlx-core/src/error.rs @@ -253,14 +253,6 @@ impl From for Error { } } -#[cfg(feature = "_tls-rustls")] -impl From for Error { - #[inline] - fn from(error: webpki::InvalidDNSNameError) -> Self { - Error::Tls(Box::new(error)) - } -} - // Format an error message as a `Protocol` error macro_rules! err_protocol { ($expr:expr) => { diff --git a/sqlx-core/src/net/tls/mod.rs b/sqlx-core/src/net/tls/mod.rs index aa90cf52d8..6e57b82400 100644 --- a/sqlx-core/src/net/tls/mod.rs +++ b/sqlx-core/src/net/tls/mod.rs @@ -1,5 +1,6 @@ #![allow(dead_code)] +use std::convert::TryFrom; use std::io; use std::ops::{Deref, DerefMut}; use std::path::PathBuf; @@ -104,7 +105,7 @@ where }; #[cfg(feature = "_tls-rustls")] - let host = webpki::DNSNameRef::try_from_ascii_str(host)?; + let host = ::rustls::ServerName::try_from(host).map_err(|err| Error::Tls(err.into()))?; *self = MaybeTlsStream::Tls(connector.connect(host, stream).await?); diff --git a/sqlx-core/src/net/tls/rustls.rs b/sqlx-core/src/net/tls/rustls.rs index 821440b906..2ad958b0d2 100644 --- a/sqlx-core/src/net/tls/rustls.rs +++ b/sqlx-core/src/net/tls/rustls.rs @@ -1,11 +1,11 @@ use crate::net::CertificateInput; use rustls::{ - Certificate, ClientConfig, RootCertStore, ServerCertVerified, ServerCertVerifier, TLSError, - WebPKIVerifier, + client::{ServerCertVerified, ServerCertVerifier, WebPkiVerifier}, + ClientConfig, Error as TlsError, OwnedTrustAnchor, RootCertStore, ServerName, }; use std::io::Cursor; use std::sync::Arc; -use webpki::DNSNameRef; +use std::time::SystemTime; use crate::error::Error; @@ -14,32 +14,47 @@ pub async fn configure_tls_connector( accept_invalid_hostnames: bool, root_cert_path: Option<&CertificateInput>, ) -> Result { - let mut config = ClientConfig::new(); + let config = ClientConfig::builder().with_safe_defaults(); - if accept_invalid_certs { + let config = if accept_invalid_certs { config - .dangerous() - .set_certificate_verifier(Arc::new(DummyTlsVerifier)); + .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier)) + .with_no_client_auth() } else { - config - .root_store - .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS); + let mut cert_store = RootCertStore::empty(); + cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { + OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + })); if let Some(ca) = root_cert_path { let data = ca.data().await?; let mut cursor = Cursor::new(data); - config - .root_store - .add_pem_file(&mut cursor) - .map_err(|_| Error::Tls(format!("Invalid certificate {}", ca).into()))?; + + for cert in rustls_pemfile::certs(&mut cursor) + .map_err(|_| Error::Tls(format!("Invalid certificate {}", ca).into()))? + { + cert_store + .add(&rustls::Certificate(cert)) + .map_err(|err| Error::Tls(err.into()))?; + } } if accept_invalid_hostnames { + let verifier = WebPkiVerifier::new(cert_store, None); + + config + .with_custom_certificate_verifier(Arc::new(NoHostnameTlsVerifier { verifier })) + .with_no_client_auth() + } else { config - .dangerous() - .set_certificate_verifier(Arc::new(NoHostnameTlsVerifier)); + .with_root_certificates(cert_store) + .with_no_client_auth() } - } + }; Ok(Arc::new(config).into()) } @@ -49,28 +64,42 @@ struct DummyTlsVerifier; impl ServerCertVerifier for DummyTlsVerifier { fn verify_server_cert( &self, - _roots: &RootCertStore, - _presented_certs: &[Certificate], - _dns_name: DNSNameRef<'_>, + _end_entity: &rustls::Certificate, + _intermediates: &[rustls::Certificate], + _server_name: &ServerName, + _scts: &mut dyn Iterator, _ocsp_response: &[u8], - ) -> Result { + _now: SystemTime, + ) -> Result { Ok(ServerCertVerified::assertion()) } } -pub struct NoHostnameTlsVerifier; +pub struct NoHostnameTlsVerifier { + verifier: WebPkiVerifier, +} impl ServerCertVerifier for NoHostnameTlsVerifier { fn verify_server_cert( &self, - roots: &RootCertStore, - presented_certs: &[Certificate], - dns_name: DNSNameRef<'_>, + end_entity: &rustls::Certificate, + intermediates: &[rustls::Certificate], + server_name: &ServerName, + scts: &mut dyn Iterator, ocsp_response: &[u8], - ) -> Result { - let verifier = WebPKIVerifier::new(); - match verifier.verify_server_cert(roots, presented_certs, dns_name, ocsp_response) { - Err(TLSError::WebPKIError(webpki::Error::CertNotValidForName)) => { + now: SystemTime, + ) -> Result { + match self.verifier.verify_server_cert( + end_entity, + intermediates, + server_name, + scts, + ocsp_response, + now, + ) { + Err(TlsError::InvalidCertificateData(reason)) + if reason.contains("CertNotValidForName") => + { Ok(ServerCertVerified::assertion()) } res => res, diff --git a/sqlx-rt/Cargo.toml b/sqlx-rt/Cargo.toml index 7a42ed3107..c193dcf73d 100644 --- a/sqlx-rt/Cargo.toml +++ b/sqlx-rt/Cargo.toml @@ -20,7 +20,7 @@ runtime-async-std-native-tls = [ runtime-tokio-native-tls = ["_rt-tokio", "_tls-native-tls", "tokio-native-tls"] runtime-actix-rustls = ["_rt-actix", "_tls-rustls", "tokio-rustls"] -runtime-async-std-rustls = ["_rt-async-std", "_tls-rustls", "async-rustls"] +runtime-async-std-rustls = ["_rt-async-std", "_tls-rustls", "futures-rustls"] runtime-tokio-rustls = ["_rt-tokio", "_tls-rustls", "tokio-rustls"] # Not used directly and not re-exported from sqlx @@ -32,11 +32,11 @@ _tls-rustls = [] [dependencies] async-native-tls = { version = "0.3.3", optional = true } -async-rustls = { version = "0.2.0", optional = true } +futures-rustls = { version = "0.22.0", optional = true } actix-rt = { version = "2.0.0", default-features = false, optional = true } async-std = { version = "1.7.0", features = ["unstable"], optional = true } tokio-native-tls = { version = "0.3.0", optional = true } -tokio-rustls = { version = "0.22.0", optional = true } +tokio-rustls = { version = "0.23.0", optional = true } native-tls = { version = "0.2.4", optional = true } once_cell = { version = "1.4", features = ["std"], optional = true } diff --git a/sqlx-rt/src/lib.rs b/sqlx-rt/src/lib.rs index 39c50855ec..5e6b732299 100644 --- a/sqlx-rt/src/lib.rs +++ b/sqlx-rt/src/lib.rs @@ -193,4 +193,4 @@ pub use async_native_tls::{TlsConnector, TlsStream}; feature = "_rt-actix" )), ))] -pub use async_rustls::{client::TlsStream, TlsConnector}; +pub use futures_rustls::{client::TlsStream, TlsConnector}; From 9be362015f158894f58dae0940abf6837d90c5a7 Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Mon, 15 Nov 2021 09:14:51 +0100 Subject: [PATCH 2/6] Rustls 0.20.1 is out --- Cargo.lock | 5 +++-- Cargo.toml | 4 ---- sqlx-core/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6c9c320014..5f72efd5f3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2058,8 +2058,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.0" -source = "git+https://github.com/rustls/rustls.git#05172d056ea77cd5d67edf5055909168a907f08b" +version = "0.20.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dac4581f0fc0e0efd529d069e8189ec7b90b8e7680e21beb35141bdc45f36040" dependencies = [ "log", "ring", diff --git a/Cargo.toml b/Cargo.toml index 328495a55c..aab4f3b613 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -151,10 +151,6 @@ serde = { version = "1.0.111", features = ["derive"] } serde_json = "1.0.53" url = "2.1.1" -[patch.crates-io] -# waiting for rustls 0.20.1 -rustls = { git = "https://github.com/rustls/rustls.git" } - # # Any # diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index c0c100318d..f310dcb656 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -144,7 +144,7 @@ parking_lot = "0.11.0" rand = { version = "0.8.3", default-features = false, optional = true, features = ["std", "std_rng"] } regex = { version = "1.3.9", optional = true } rsa = { version = "0.4.0", optional = true } -rustls = { version = "0.20.0", features = ["dangerous_configuration"], optional = true } +rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true } rustls-pemfile = { version = "0.2.0", optional = true } serde = { version = "1.0.106", features = ["derive", "rc"], optional = true } serde_json = { version = "1.0.51", features = ["raw_value"], optional = true } From 3ffb57eab3485e1a668f77df988951de4432a9d7 Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Wed, 29 Dec 2021 09:00:31 +0100 Subject: [PATCH 3/6] Fix merge conflict mistake --- sqlx-core/Cargo.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index 704abc45ba..c7a2949a55 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -157,7 +157,6 @@ tokio-stream = { version = "0.1.2", features = ["fs"], optional = true } smallvec = "1.4.0" url = { version = "2.1.1", default-features = false } uuid = { version = "0.8.1", default-features = false, optional = true, features = ["std"] } -webpki = { version = "0.22.0", optional = true } webpki-roots = { version = "0.22.0", optional = true } whoami = { version = "1.0.1", optional = true } stringprep = "0.1.2" From bf371819797a93ca67a1318127994fba355ac69e Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Sat, 5 Feb 2022 18:23:00 +0100 Subject: [PATCH 4/6] Bump rustls-pemfile to 0.3 --- Cargo.lock | 4 ++-- sqlx-core/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1e163afb01..e07d65ae1d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2090,9 +2090,9 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "0.2.1" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360" dependencies = [ "base64", ] diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index d0d656db4d..63d4aeb25b 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -148,7 +148,7 @@ rand = { version = "0.8.4", default-features = false, optional = true, features regex = { version = "1.5.4", optional = true } rsa = { version = "0.5.0", optional = true } rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true } -rustls-pemfile = { version = "0.2.0", optional = true } +rustls-pemfile = { version = "0.3.0", optional = true } serde = { version = "1.0.132", features = ["derive", "rc"], optional = true } serde_json = { version = "1.0.73", features = ["raw_value"], optional = true } sha-1 = { version = "0.9.8", default-features = false, optional = true } From 68ba924fc7b0556cdb513d159436e6a6094d3400 Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Sat, 2 Apr 2022 09:29:53 +0200 Subject: [PATCH 5/6] Resync Cargo.lock --- Cargo.lock | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fde766f25a..0e6a453962 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -949,9 +949,9 @@ dependencies = [ [[package]] name = "futures-rustls" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d383f0425d991a05e564c2f3ec150bd6dde863179c131dd60d8aa73a05434461" +checksum = "e01fe9932a224b72b45336d96040aa86386d674a31d0af27d800ea7bc8ca97fe" dependencies = [ "futures-io", "rustls", @@ -2097,9 +2097,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.1" +version = "0.20.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dac4581f0fc0e0efd529d069e8189ec7b90b8e7680e21beb35141bdc45f36040" +checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921" dependencies = [ "log", "ring", @@ -2936,9 +2936,9 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.23.0" +version = "0.23.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d49194a46b06a69f2498a34a595ab4a9c1babd2642ffa3dbccf6c6778d1426f2" +checksum = "4151fda0cf2798550ad0b34bcfc9b9dcc2a9d2471c895c68f3a8818e54f2389e" dependencies = [ "rustls", "tokio", @@ -3193,9 +3193,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c475786c6f47219345717a043a37ec04cb4bc185e28853adcc4fa0a947eba630" +checksum = "552ceb903e957524388c4d3475725ff2c8b7960922063af6ce53c9a43da07449" dependencies = [ "webpki", ] From 6643daac354e07aaffe21f4f66e8732686abea62 Mon Sep 17 00:00:00 2001 From: Paolo Barbolini Date: Thu, 14 Apr 2022 14:46:21 +0200 Subject: [PATCH 6/6] Bump rustls-pemfile to v1 --- Cargo.lock | 4 ++-- sqlx-core/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7749026ee1..51958b83ec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2092,9 +2092,9 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "0.3.0" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360" +checksum = "e7522c9de787ff061458fe9a829dc790a3f5b22dc571694fc5883f448b94d9a9" dependencies = [ "base64", ] diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml index d02b0fcf1a..e19bde8963 100644 --- a/sqlx-core/Cargo.toml +++ b/sqlx-core/Cargo.toml @@ -148,7 +148,7 @@ rand = { version = "0.8.4", default-features = false, optional = true, features regex = { version = "1.5.5", optional = true } rsa = { version = "0.6.0", optional = true } rustls = { version = "0.20.1", features = ["dangerous_configuration"], optional = true } -rustls-pemfile = { version = "0.3.0", optional = true } +rustls-pemfile = { version = "1.0", optional = true } serde = { version = "1.0.132", features = ["derive", "rc"], optional = true } serde_json = { version = "1.0.73", features = ["raw_value"], optional = true } sha-1 = { version = "0.10.0", default-features = false, optional = true }