From 39f80876cd06e128ad1c79f725c48ce23afa87e9 Mon Sep 17 00:00:00 2001 From: Ning Sun Date: Thu, 14 Dec 2023 13:56:39 +0800 Subject: [PATCH] feat: upgrade rustls library family, opensrv-mysql and pgwire (#2927) * feat: deps up * fmt: toml format --- Cargo.lock | 148 +++++++++++++++++++++------- src/servers/Cargo.toml | 14 +-- src/servers/src/postgres/handler.rs | 6 +- src/servers/src/tls.rs | 17 ++-- src/servers/tests/postgres/mod.rs | 47 +++++++-- 5 files changed, 171 insertions(+), 61 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c0bbae37fd..ffb2589a0d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -247,6 +247,12 @@ version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bddcadddf5e9015d310179a59bb28c4d4b9920ad0f11e8e14dbadf654890c9a6" +[[package]] +name = "array-init" +version = "2.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d62b7694a562cdf5a74227903507c56ab2cc8bdd1f781ed5cb4cf9c9f810bfc" + [[package]] name = "arrayref" version = "0.3.7" @@ -1449,7 +1455,7 @@ dependencies = [ "datafusion", "datanode", "datatypes", - "derive-new", + "derive-new 0.5.9", "derive_builder 0.12.0", "enum_dispatch", "futures-util", @@ -2731,6 +2737,17 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "derive-new" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d150dea618e920167e5973d70ae6ece4385b7164e0d799fe7c122dd0a5d912ad" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.39", +] + [[package]] name = "derive_builder" version = "0.11.2" @@ -5012,7 +5029,7 @@ dependencies = [ "pin-project", "rand", "rustls 0.21.9", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "socket2 0.5.5", @@ -5440,9 +5457,9 @@ dependencies = [ [[package]] name = "opensrv-mysql" -version = "0.5.0" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "208bfa36c4b4a8d6ac90eda62e34efa66f7e692df91bd3626bc47329844a86b1" +checksum = "a6b6a785aafb26a97c26078b9457e96cb238b386781583783a3a3d3de47fa841" dependencies = [ "async-trait", "byteorder", @@ -5451,7 +5468,7 @@ dependencies = [ "nom", "pin-project-lite", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.25.0", ] [[package]] @@ -5902,16 +5919,6 @@ dependencies = [ "base64 0.13.1", ] -[[package]] -name = "pem" -version = "2.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b13fe415cdf3c8e44518e18a7c95a13431d9bdf6d15367d82b23c377fdd441a" -dependencies = [ - "base64 0.21.5", - "serde", -] - [[package]] name = "pem" version = "3.0.2" @@ -6003,15 +6010,15 @@ dependencies = [ [[package]] name = "pgwire" -version = "0.16.1" +version = "0.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06d04982366efd653d4365175426acbabd55efb07231869e92b9e1f5b3faf7df" +checksum = "7f7f181d085a224ff2b2ea46bd2066b487b87e83dabbcdfe60bf3f027f5d0593" dependencies = [ "async-trait", "base64 0.21.5", "bytes", "chrono", - "derive-new", + "derive-new 0.6.0", "futures", "getset", "hex", @@ -6019,12 +6026,12 @@ dependencies = [ "md5", "postgres-types", "rand", - "ring 0.16.20", + "ring 0.17.5", "stringprep", "thiserror", "time", "tokio", - "tokio-rustls 0.24.1", + "tokio-rustls 0.25.0", "tokio-util", "x509-certificate", ] @@ -6239,6 +6246,7 @@ version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8d2234cdee9408b523530a9b6d2d6b373d1db34f6a8e51dc03ded1828d7fb67c" dependencies = [ + "array-init", "bytes", "chrono", "fallible-iterator", @@ -7158,7 +7166,7 @@ dependencies = [ "pin-project-lite", "rustls 0.21.9", "rustls-native-certs", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "serde_urlencoded", @@ -7530,10 +7538,24 @@ checksum = "629648aced5775d558af50b2b4c7b02983a04b312126d45eeead26e7caa498b9" dependencies = [ "log", "ring 0.17.5", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe6b63262c9fcac8659abfaa96cac103d28166d3ff3eaf8f412e19f3ae9e5a48" +dependencies = [ + "log", + "ring 0.17.5", + "rustls-pki-types", + "rustls-webpki 0.102.0", + "subtle", + "zeroize", +] + [[package]] name = "rustls-native-certs" version = "0.6.3" @@ -7541,7 +7563,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "schannel", "security-framework", ] @@ -7555,6 +7577,22 @@ dependencies = [ "base64 0.21.5", ] +[[package]] +name = "rustls-pemfile" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" +dependencies = [ + "base64 0.21.5", + "rustls-pki-types", +] + +[[package]] +name = "rustls-pki-types" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -7565,6 +7603,17 @@ dependencies = [ "untrusted 0.9.0", ] +[[package]] +name = "rustls-webpki" +version = "0.102.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" +dependencies = [ + "ring 0.17.5", + "rustls-pki-types", + "untrusted 0.9.0", +] + [[package]] name = "rustpython-ast" version = "0.2.0" @@ -8349,8 +8398,9 @@ dependencies = [ "rand", "regex", "rust-embed", - "rustls 0.21.9", - "rustls-pemfile", + "rustls 0.22.1", + "rustls-pemfile 2.0.0", + "rustls-pki-types", "schemars", "script", "secrecy", @@ -8367,7 +8417,7 @@ dependencies = [ "tokio", "tokio-postgres", "tokio-postgres-rustls", - "tokio-rustls 0.24.1", + "tokio-rustls 0.25.0", "tokio-stream", "tokio-test", "tonic 0.10.2", @@ -8804,7 +8854,7 @@ dependencies = [ "rand", "rsa 0.6.1", "rustls 0.20.9", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "sha1", @@ -9606,15 +9656,15 @@ dependencies = [ [[package]] name = "tokio-postgres-rustls" version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd5831152cb0d3f79ef5523b357319ba154795d64c7078b2daa95a803b54057f" +source = "git+https://github.com/ol-teuto/tokio-postgres-rustls.git?branch=rustls-update#d78fad4c4ece18ec51b9d139101285f8ad3b8024" dependencies = [ "futures", "ring 0.16.20", - "rustls 0.21.9", + "rustls 0.22.1", + "rustls-pki-types", "tokio", "tokio-postgres", - "tokio-rustls 0.24.1", + "tokio-rustls 0.25.0", ] [[package]] @@ -9638,6 +9688,17 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-rustls" +version = "0.25.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +dependencies = [ + "rustls 0.22.1", + "rustls-pki-types", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.14" @@ -9779,7 +9840,7 @@ dependencies = [ "pin-project", "prost 0.12.2", "rustls 0.21.9", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "tokio", "tokio-rustls 0.24.1", "tokio-stream", @@ -10894,20 +10955,21 @@ dependencies = [ [[package]] name = "x509-certificate" -version = "0.21.0" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e5d27c90840e84503cf44364de338794d5d5680bdd1da6272d13f80b0769ee0" +checksum = "66534846dec7a11d7c50a74b7cdb208b9a581cad890b7866430d438455847c85" dependencies = [ "bcder", "bytes", "chrono", "der 0.7.8", "hex", - "pem 2.0.1", - "ring 0.16.20", + "pem 3.0.2", + "ring 0.17.5", "signature", "spki 0.7.2", "thiserror", + "zeroize", ] [[package]] @@ -10959,6 +11021,20 @@ name = "zeroize" version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" +dependencies = [ + "zeroize_derive", +] + +[[package]] +name = "zeroize_derive" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.39", +] [[package]] name = "zigzag" diff --git a/src/servers/Cargo.toml b/src/servers/Cargo.toml index 1a8f8d5e39..893f07f6c6 100644 --- a/src/servers/Cargo.toml +++ b/src/servers/Cargo.toml @@ -54,10 +54,10 @@ lazy_static.workspace = true mime_guess = "2.0" once_cell.workspace = true openmetrics-parser = "0.4" -opensrv-mysql = "0.5" +opensrv-mysql = "0.6" opentelemetry-proto.workspace = true parking_lot = "0.12" -pgwire = "0.16" +pgwire = "0.17" pin-project = "1.0" postgres-types = { version = "0.2", features = ["with-chrono-0_4"] } pprof = { version = "0.13", features = [ @@ -72,8 +72,9 @@ query.workspace = true rand.workspace = true regex.workspace = true rust-embed = { version = "6.6", features = ["debug-embed"] } -rustls = "0.21" -rustls-pemfile = "1.0" +rustls = "0.22" +rustls-pemfile = "2.0" +rustls-pki-types = "1.0" schemars = "0.8" secrecy = { version = "0.8", features = ["serde", "alloc"] } serde.workspace = true @@ -85,7 +86,7 @@ snap = "1" sql.workspace = true strum.workspace = true table.workspace = true -tokio-rustls = "0.24" +tokio-rustls = "0.25" tokio-stream = { workspace = true, features = ["net"] } tokio.workspace = true tonic-reflection = "0.10" @@ -108,13 +109,12 @@ mysql_async = { version = "0.33", default-features = false, features = [ "default-rustls", ] } rand.workspace = true -rustls = { version = "0.21", features = ["dangerous_configuration"] } script = { workspace = true, features = ["python"] } serde_json = "1.0" session = { workspace = true, features = ["testing"] } table.workspace = true tokio-postgres = "0.7" -tokio-postgres-rustls = "0.10" +tokio-postgres-rustls = { git = "https://github.com/ol-teuto/tokio-postgres-rustls.git", branch = "rustls-update" } tokio-test = "0.4" [build-dependencies] diff --git a/src/servers/src/postgres/handler.rs b/src/servers/src/postgres/handler.rs index e3ff0c6796..edb4b2f593 100644 --- a/src/servers/src/postgres/handler.rs +++ b/src/servers/src/postgres/handler.rs @@ -41,7 +41,11 @@ use crate::SqlPlan; #[async_trait] impl SimpleQueryHandler for PostgresServerHandler { - async fn do_query<'a, C>(&self, _client: &C, query: &'a str) -> PgWireResult>> + async fn do_query<'a, C>( + &self, + _client: &mut C, + query: &'a str, + ) -> PgWireResult>> where C: ClientInfo + Unpin + Send + Sync, { diff --git a/src/servers/src/tls.rs b/src/servers/src/tls.rs index 9a58273969..deb695bb45 100644 --- a/src/servers/src/tls.rs +++ b/src/servers/src/tls.rs @@ -15,8 +15,9 @@ use std::fs::File; use std::io::{BufReader, Error, ErrorKind}; -use rustls::{Certificate, PrivateKey, ServerConfig}; +use rustls::ServerConfig; use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys}; +use rustls_pki_types::{CertificateDer, PrivateKeyDer}; use serde::{Deserialize, Serialize}; use strum::EnumString; @@ -77,19 +78,20 @@ impl TlsOption { return Ok(None); } let cert = certs(&mut BufReader::new(File::open(&self.cert_path)?)) - .map_err(|_| Error::new(ErrorKind::InvalidInput, "invalid cert")) - .map(|mut certs| certs.drain(..).map(Certificate).collect())?; + .collect::, Error>>()?; let key = { let mut pkcs8 = pkcs8_private_keys(&mut BufReader::new(File::open(&self.key_path)?)) - .map_err(|_| Error::new(ErrorKind::InvalidInput, "invalid key"))?; + .map(|key| key.map(PrivateKeyDer::from)) + .collect::, Error>>()?; if !pkcs8.is_empty() { - PrivateKey(pkcs8.remove(0)) + pkcs8.remove(0) } else { let mut rsa = rsa_private_keys(&mut BufReader::new(File::open(&self.key_path)?)) - .map_err(|_| Error::new(ErrorKind::InvalidInput, "invalid key"))?; + .map(|key| key.map(PrivateKeyDer::from)) + .collect::, Error>>()?; if !rsa.is_empty() { - PrivateKey(rsa.remove(0)) + rsa.remove(0) } else { return Err(Error::new(ErrorKind::InvalidInput, "invalid key")); } @@ -98,7 +100,6 @@ impl TlsOption { // TODO(SSebo): with_client_cert_verifier if TlsMode is Required. let config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert, key) .map_err(|err| std::io::Error::new(ErrorKind::InvalidInput, err))?; diff --git a/src/servers/tests/postgres/mod.rs b/src/servers/tests/postgres/mod.rs index e80d7b7e38..dc3ae93a6e 100644 --- a/src/servers/tests/postgres/mod.rs +++ b/src/servers/tests/postgres/mod.rs @@ -14,7 +14,7 @@ use std::net::SocketAddr; use std::sync::Arc; -use std::time::{Duration, SystemTime}; +use std::time::Duration; use auth::tests::{DatabaseAuthInfo, MockUserProvider}; use auth::UserProviderRef; @@ -23,8 +23,9 @@ use common_runtime::Builder as RuntimeBuilder; use pgwire::api::Type; use rand::rngs::StdRng; use rand::Rng; -use rustls::client::{ServerCertVerified, ServerCertVerifier}; -use rustls::{Certificate, Error, ServerName}; +use rustls::client::danger::{ServerCertVerified, ServerCertVerifier}; +use rustls::{Error, SignatureScheme}; +use rustls_pki_types::{CertificateDer, ServerName}; use servers::error::Result; use servers::postgres::PostgresServer; use servers::server::Server; @@ -386,7 +387,6 @@ async fn create_secure_connection( }; let mut config = rustls::ClientConfig::builder() - .with_safe_defaults() .with_root_certificates(rustls::RootCertStore::empty()) .with_no_client_auth(); config @@ -455,16 +455,45 @@ fn unwrap_results(resp: &[SimpleQueryMessage]) -> Vec<&str> { resp.iter().filter_map(|m| resolve_result(m, 0)).collect() } +#[derive(Debug)] struct AcceptAllVerifier {} impl ServerCertVerifier for AcceptAllVerifier { + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, + ) -> std::result::Result { + Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + } + + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, + ) -> std::result::Result { + Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + } + + fn supported_verify_schemes(&self) -> Vec { + vec![ + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::RSA_PSS_SHA512, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::ED25519, + ] + } + fn verify_server_cert( &self, - _end_entity: &Certificate, - _intermediates: &[Certificate], - _server_name: &ServerName, - _scts: &mut dyn Iterator, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName<'_>, _ocsp_response: &[u8], - _now: SystemTime, + _now: rustls_pki_types::UnixTime, ) -> std::result::Result { Ok(ServerCertVerified::assertion()) }