Merge pull request 'Update rustls for tokio-postgres' (#58) from asonix/update-tokio-postgres-rustls into main

Reviewed-on: https://git.asonix.dog/asonix/pict-rs/pulls/58
2024-11-20 11:21:14 +00:00 · 2024-05-19 15:35:47 +00:00 · 2024-05-19 15:35:47 +00:00 · a7c78cd54e
commit a7c78cd54e
parent e48f60a6c6 d7dc2e506d
5 changed files with 93 additions and 139 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -253,21 +253,6 @@ dependencies = [
 "memchr",
 ]

-[[package]]
-name = "android-tzdata"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
-
-[[package]]
-name = "android_system_properties"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "anstream"
 version = "0.6.13"
@ -376,6 +361,7 @@ dependencies = [
 "aws-lc-sys",
 "mirai-annotations",
 "paste",
+ "untrusted 0.7.1",
 "zeroize",
 ]

@ -491,16 +477,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "bcder"
-version = "0.7.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c627747a6774aab38beb35990d88309481378558875a41da1a4b2e373c906ef0"
-dependencies = [
- "bytes",
- "smallvec",
-]
-
 [[package]]
 name = "bindgen"
 version = "0.69.4"
@ -607,18 +583,6 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"

-[[package]]
-name = "chrono"
-version = "0.4.38"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401"
-dependencies = [
- "android-tzdata",
- "iana-time-zone",
- "num-traits",
- "windows-targets 0.52.5",
-]
-
 [[package]]
 name = "clang-sys"
 version = "1.7.0"
@ -777,12 +741,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e"

-[[package]]
-name = "core-foundation-sys"
-version = "0.8.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
-
 [[package]]
 name = "cpufeatures"
 version = "0.2.12"
@ -855,9 +813,23 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
 dependencies = [
 "const-oid",
+ "der_derive",
+ "flagset",
+ "pem-rfc7468",
 "zeroize",
 ]

+[[package]]
+name = "der_derive"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.60",
+]
+
 [[package]]
 name = "deranged"
 version = "0.3.11"
@ -1014,6 +986,12 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8fcfdc7a0362c9f4444381a9e697c79d435fe65b52a37466fc2c1184cee9edc6"

+[[package]]
+name = "flagset"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdeb3aa5e95cf9aabc17f060cfa0ced7b83f042390760ca53bf09df9968acaa1"
+
 [[package]]
 name = "flate2"
 version = "1.0.30"
@ -1055,20 +1033,6 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"

-[[package]]
-name = "futures"
-version = "0.3.30"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0"
-dependencies = [
- "futures-channel",
- "futures-core",
- "futures-io",
- "futures-sink",
- "futures-task",
- "futures-util",
-]
-
 [[package]]
 name = "futures-channel"
 version = "0.3.30"
@ -1463,29 +1427,6 @@ dependencies = [
 "tracing",
 ]

-[[package]]
-name = "iana-time-zone"
-version = "0.1.60"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
-dependencies = [
- "android_system_properties",
- "core-foundation-sys",
- "iana-time-zone-haiku",
- "js-sys",
- "wasm-bindgen",
- "windows-core",
-]
-
-[[package]]
-name = "iana-time-zone-haiku"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "idna"
 version = "0.5.0"
@ -2014,13 +1955,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd"

 [[package]]
-name = "pem"
-version = "3.0.4"
+name = "pem-rfc7468"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
 dependencies = [
- "base64 0.22.1",
- "serde",
+ "base64ct",
 ]

 [[package]]
@ -2081,7 +2021,6 @@ dependencies = [
 "reqwest",
 "reqwest-middleware",
 "reqwest-tracing",
- "rustls 0.22.4",
 "rustls 0.23.7",
 "rustls-channel-resolver",
 "rustls-pemfile",
@ -2098,7 +2037,7 @@ dependencies = [
 "time",
 "tokio",
 "tokio-postgres",
- "tokio-postgres-rustls",
+ "tokio-postgres-generic-rustls",
 "tokio-uring",
 "tokio-util",
 "toml",
@ -2542,7 +2481,7 @@ dependencies = [
 "getrandom",
 "libc",
 "spin",
- "untrusted",
+ "untrusted 0.9.0",
 "windows-sys 0.52.0",
 ]

@ -2665,7 +2604,7 @@ dependencies = [
 "aws-lc-rs",
 "ring",
 "rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
 ]

 [[package]]
@ -2852,15 +2791,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "signature"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
-dependencies = [
- "rand_core",
-]
-
 [[package]]
 name = "siphasher"
 version = "0.3.11"
@ -3084,6 +3014,27 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

+[[package]]
+name = "tls_codec"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a"
+dependencies = [
+ "tls_codec_derive",
+ "zeroize",
+]
+
+[[package]]
+name = "tls_codec_derive"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.60",
+]
+
 [[package]]
 name = "tokio"
 version = "1.37.0"
@ -3152,18 +3103,17 @@ dependencies = [
 ]

 [[package]]
-name = "tokio-postgres-rustls"
-version = "0.11.1"
+name = "tokio-postgres-generic-rustls"
+version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ea13f22eda7127c827983bdaf0d7fff9df21c8817bab02815ac277a21143677"
+checksum = "c8e98c31c29b2666fb28720739e11476166be4ead1610a37dcd7414bb124413a"
 dependencies = [
- "futures",
- "ring",
- "rustls 0.22.4",
+ "aws-lc-rs",
+ "rustls 0.23.7",
 "tokio",
 "tokio-postgres",
- "tokio-rustls 0.25.0",
- "x509-certificate",
+ "tokio-rustls 0.26.0",
+ "x509-cert",
 ]

 [[package]]
@ -3499,6 +3449,12 @@ dependencies = [
 "tinyvec",
 ]

+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@ -3745,15 +3701,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

-[[package]]
-name = "windows-core"
-version = "0.52.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
-dependencies = [
- "windows-targets 0.52.5",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.48.0"
@ -3913,22 +3860,15 @@ dependencies = [
 ]

 [[package]]
-name = "x509-certificate"
-version = "0.23.1"
+name = "x509-cert"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66534846dec7a11d7c50a74b7cdb208b9a581cad890b7866430d438455847c85"
+checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94"
 dependencies = [
- "bcder",
- "bytes",
- "chrono",
+ "const-oid",
 "der",
- "hex",
- "pem",
- "ring",
- "signature",
 "spki",
- "thiserror",
- "zeroize",
+ "tls_codec",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -49,8 +49,7 @@ refinery = { version = "0.8.10", features = ["tokio-postgres", "postgres"] }
 reqwest = { version = "0.12.0", default-features = false, features = ["json", "rustls-tls", "stream"] }
 reqwest-middleware = "0.3.0"
 reqwest-tracing = "0.5.0"
-# pinned to tokio-postgres-rustls
-rustls022 = { package = "rustls", version = "0.22.0" }
+# pinned to tokio-postgres-generic-rustls
 # pinned to actix-web
 rustls = "0.23"
 # pinned to rustls
@ -70,7 +69,7 @@ thiserror = "1.0"
 time = { version = "0.3.0", features = ["serde", "serde-well-known"] }
 tokio = { version = "1", features = ["full", "tracing"] }
 tokio-postgres = { version = "0.7.10", features = ["with-uuid-1", "with-time-0_3", "with-serde_json-1"] }
-tokio-postgres-rustls = "0.11.0"
+tokio-postgres-generic-rustls = { version = "0.1.0", default-features = false, features = ["aws-lc-rs"] }
 tokio-uring = { version = "0.4", optional = true, features = ["bytes"] }
 tokio-util = { version = "0.7", default-features = false, features = [
  "codec",
--- a/src/lib.rs
+++ b/src/lib.rs
@ -1938,6 +1938,19 @@ impl PictRsConfiguration {
        Ok(self)
    }

+    /// Install aws-lc-rs as the default crypto provider
+    ///
+    /// This would happen automatically anyway unless rustls crate features get mixed up
+    pub fn install_crypto_provider(self) -> Self {
+        if rustls::crypto::aws_lc_rs::default_provider()
+            .install_default()
+            .is_err()
+        {
+            tracing::info!("rustls crypto provider already installed");
+        }
+        self
+    }
+
    /// Run the pict-rs application on a tokio `LocalSet`
    ///
    /// This must be called from within `tokio::main` directly
--- a/src/main.rs
+++ b/src/main.rs
@ -4,6 +4,7 @@ fn main() -> color_eyre::Result<()> {
        pict_rs::PictRsConfiguration::build_default()?
            .install_tracing()?
            .install_metrics()?
+            .install_crypto_provider()
            .run()
            .await
    })
@ -18,6 +19,7 @@ fn main() -> color_eyre::Result<()> {
            pict_rs::PictRsConfiguration::build_default()?
                .install_tracing()?
                .install_metrics()?
+                .install_crypto_provider()
                .run_on_localset()
                .await
        })
--- a/src/repo/postgres.rs
+++ b/src/repo/postgres.rs
@ -26,7 +26,7 @@ use diesel_async::{
 use futures_core::Stream;
 use tokio::sync::Notify;
 use tokio_postgres::{AsyncMessage, Connection, NoTls, Notification, Socket};
-use tokio_postgres_rustls::MakeRustlsConnect;
+use tokio_postgres_generic_rustls::{AwsLcRsDigest, MakeRustlsConnect};
 use tracing::Instrument;
 use url::Url;
 use uuid::Uuid;
@ -142,7 +142,7 @@ pub(crate) enum TlsError {
    Invalid,

    #[error("Couldn't add certificate to root store")]
-    Add(#[source] rustls022::Error),
+    Add(#[source] rustls::Error),
 }

 impl PostgresError {
@ -173,8 +173,8 @@ impl PostgresError {

 async fn build_tls_connector(
    certificate_file: Option<PathBuf>,
-) -> Result<MakeRustlsConnect, TlsError> {
-    let mut cert_store = rustls022::RootCertStore {
+) -> Result<MakeRustlsConnect<AwsLcRsDigest>, TlsError> {
+    let mut cert_store = rustls::RootCertStore {
        roots: Vec::from(webpki_roots::TLS_SERVER_ROOTS),
    };

@ -195,18 +195,18 @@ async fn build_tls_connector(
        cert_store.add(cert).map_err(TlsError::Add)?;
    }

-    let config = rustls022::ClientConfig::builder()
+    let config = rustls::ClientConfig::builder()
        .with_root_certificates(cert_store)
        .with_no_client_auth();

-    let tls = MakeRustlsConnect::new(config);
+    let tls = MakeRustlsConnect::new(config, AwsLcRsDigest);

    Ok(tls)
 }

 async fn connect_for_migrations(
    postgres_url: &Url,
-    tls_connector: Option<MakeRustlsConnect>,
+    tls_connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
 ) -> Result<
    (
        tokio_postgres::Client,
@ -266,7 +266,7 @@ where
 async fn build_pool(
    postgres_url: &Url,
    tx: tokio::sync::mpsc::Sender<Notification>,
-    connector: Option<MakeRustlsConnect>,
+    connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
    max_size: u32,
 ) -> Result<Pool<AsyncPgConnection>, ConnectPostgresError> {
    let mut config = ManagerConfig::default();
@ -667,7 +667,7 @@ async fn delegate_notifications(

 fn build_handler(
    sender: tokio::sync::mpsc::Sender<Notification>,
-    connector: Option<MakeRustlsConnect>,
+    connector: Option<MakeRustlsConnect<AwsLcRsDigest>>,
 ) -> ConfigFn {
    Box::new(
        move |config: &str| -> BoxFuture<'_, ConnectionResult<AsyncPgConnection>> {