Add rustls support

Author: jplatte

Cargo.lock

@@ -63,6 +63,10 @@ runtime-actix-native-tls = [ "sqlx-core/runtime-actix-native-tls", "sqlx-macros/
 runtime-async-std-native-tls = [ "sqlx-core/runtime-async-std-native-tls", "sqlx-macros/runtime-async-std-native-tls", "_rt-async-std" ]
 runtime-tokio-native-tls = [ "sqlx-core/runtime-tokio-native-tls", "sqlx-macros/runtime-tokio-native-tls", "_rt-tokio" ]
 
+runtime-actix-rustls = [ "sqlx-core/runtime-actix-rustls", "sqlx-macros/runtime-actix-rustls", "_rt-actix" ]
+runtime-async-std-rustls = [ "sqlx-core/runtime-async-std-rustls", "sqlx-macros/runtime-async-std-rustls", "_rt-async-std" ]
+runtime-tokio-rustls = [ "sqlx-core/runtime-tokio-rustls", "sqlx-macros/runtime-tokio-rustls", "_rt-tokio" ]
+
 # for conditional compilation
 _rt-actix = []
 _rt-async-std = []

Cargo.toml

@@ -66,7 +66,7 @@ SQLx is an async, pure Rust<sub>†</sub> SQL crate featuring compile-time check
 
  * **Pure Rust**. The Postgres and MySQL/MariaDB drivers are written in pure Rust using **zero** unsafe<sub>††</sub> code.
 
- * **Runtime Agnostic**. Works on different runtimes ([async-std](https://crates.io/crates/async-std) / [tokio](https://crates.io/crates/tokio) / [actix](https://crates.io/crates/actix-rt)).
+ * **Runtime Agnostic**. Works on different runtimes ([async-std](https://crates.io/crates/async-std) / [tokio](https://crates.io/crates/tokio) / [actix](https://crates.io/crates/actix-rt)) and TLS backends ([native-tls](https://crates.io/crates/native-tls), [rustls](https://crates.io/crates/rustls)).
 
 <sub><sup>† The SQLite driver uses the libsqlite3 C library as SQLite is an embedded database (the only way
 we could be pure Rust for SQLite is by porting _all_ of SQLite to Rust).</sup></sub>
@@ -109,12 +109,14 @@ SQLx is compatible with the [`async-std`], [`tokio`] and [`actix`] runtimes.
 [`tokio`]: https://github.com/tokio-rs/tokio
 [`actix`]: https://github.com/actix/actix-net
 
-By default, you get `async-std`. If you want a different runtime or TLS backend, just disable the default features and activate the corresponding feature, for example for tokio:
+You can also select between [`native-tls`] and [`rustls`] for the TLS backend.
+
+By default, you get `async-std` + `native-tls`. If you want a different runtime or TLS backend, just disable the default features and activate the corresponding feature, for example for tokio + rustls:
 
 ```toml
 # Cargo.toml
 [dependencies]
-sqlx = { version = "0.4.0-beta.1", default-features = false, features = [ "runtime-tokio-native-tls", "macros" ] }
+sqlx = { version = "0.4.0-beta.1", default-features = false, features = [ "runtime-tokio-rustls", "macros" ] }
 ```
 
 <sub><sup>The runtime and TLS backend not being separate feature sets to select is a workaround for a [Cargo issue](https://github.com/rust-lang/cargo/issues/3494).</sup></sub>
@@ -123,10 +125,16 @@ sqlx = { version = "0.4.0-beta.1", default-features = false, features = [ "runti
 
  * `runtime-async-std-native-tls` (on by default): Use the `async-std` runtime and `native-tls` TLS backend.
 
+ * `runtime-async-std-rustls`: Use the `async-std` runtime and `rustls` TLS backend.
+
  * `runtime-tokio-native-tls`: Use the `tokio` runtime and `native-tls` TLS backend.
 
+ * `runtime-tokio-rustls`: Use the `tokio` runtime and `rustls` TLS backend.
+
  * `runtime-actix-native-tls`: Use the `actix` runtime and `native-tls` TLS backend.
 
+ * `runtime-actix-rustls`: Use the `actix` runtime and `rustls` TLS backend.
+
  * `postgres`: Add support for the Postgres database server.
 
  * `mysql`: Add support for the MySQL (and MariaDB) database server.

README.md

@@ -10,6 +10,10 @@ runtime-actix-native-tls = [ "sqlx/runtime-actix-native-tls", "sqlx-rt/runtime-a
 runtime-async-std-native-tls = [ "sqlx/runtime-async-std-native-tls", "sqlx-rt/runtime-async-std-native-tls" ]
 runtime-tokio-native-tls = [ "sqlx/runtime-tokio-native-tls", "sqlx-rt/runtime-tokio-native-tls" ]
 
+runtime-actix-rustls = [ "sqlx/runtime-actix-rustls", "sqlx-rt/runtime-actix-rustls" ]
+runtime-async-std-rustls = [ "sqlx/runtime-async-std-rustls", "sqlx-rt/runtime-async-std-rustls" ]
+runtime-tokio-rustls = [ "sqlx/runtime-tokio-rustls", "sqlx-rt/runtime-tokio-rustls" ]
+
 postgres = ["sqlx/postgres"]
 
 [dependencies]

sqlx-bench/Cargo.toml

@@ -24,7 +24,7 @@ You must choose a runtime to execute the benchmarks on; the feature flags are th
 
 ```bash
 cargo bench --features runtime-tokio-native-tls
-cargo bench --features runtime-async-std-native-tls
+cargo bench --features runtime-async-std-rustls
 ```
 
 When complete, the benchmark results will be in `target/criterion/`. 

sqlx-bench/README.md

@@ -38,11 +38,16 @@ runtime-actix-native-tls = [ "sqlx-rt/runtime-actix-native-tls", "_tls-native-tl
 runtime-async-std-native-tls = [ "sqlx-rt/runtime-async-std-native-tls", "_tls-native-tls", "_rt-async-std" ]
 runtime-tokio-native-tls = [ "sqlx-rt/runtime-tokio-native-tls", "_tls-native-tls", "_rt-tokio" ]
 
+runtime-actix-rustls = [ "sqlx-rt/runtime-actix-rustls", "_tls-rustls", "_rt-actix" ]
+runtime-async-std-rustls = [ "sqlx-rt/runtime-async-std-rustls", "_tls-rustls", "_rt-async-std" ]
+runtime-tokio-rustls = [ "sqlx-rt/runtime-tokio-rustls", "_tls-rustls", "_rt-tokio" ]
+
 # for conditional compilation
 _rt-actix = []
 _rt-async-std = []
 _rt-tokio = []
 _tls-native-tls = []
+_tls-rustls = [ "rustls", "webpki" ]
 
 # support offline/decoupled building (enables serialization of `Describe`)
 offline = [ "serde", "either/serde" ]
@@ -86,6 +91,7 @@ parking_lot = "0.11.0"
 rand = { version = "0.7.3", default-features = false, optional = true, features = [ "std" ] }
 regex = { version = "1.3.9", optional = true }
 rsa = { version = "0.3.0", optional = true }
+rustls = { version = "0.18.1", optional = true }
 serde = { version = "1.0.106", features = [ "derive", "rc" ], optional = true }
 serde_json = { version = "1.0.51", features = [ "raw_value" ], optional = true }
 sha-1 = { version = "0.9.0", default-features = false, optional = true }
@@ -96,6 +102,7 @@ time = { version = "0.2.16", optional = true }
 smallvec = "1.4.0"
 url = { version = "2.1.1", default-features = false }
 uuid = { version = "0.8.1", default-features = false, optional = true, features = [ "std" ] }
+webpki = { version = "0.21.3", optional = true }
 whoami = "0.9.0"
 stringprep = "0.1.2"
 lru-cache = "0.1.2"

sqlx-core/Cargo.toml

@@ -242,6 +242,14 @@ impl From<sqlx_rt::native_tls::Error> for Error {
     }
 }
 
+#[cfg(feature = "_tls-rustls")]
+impl From<webpki::InvalidDNSNameError> for Error {
+    #[inline]
+    fn from(error: webpki::InvalidDNSNameError) -> Self {
+        Error::Tls(Box::new(error))
+    }
+}
+
 // Format an error message as a `Protocol` error
 macro_rules! err_protocol {
     ($expr:expr) => {

sqlx-core/src/error.rs

@@ -6,11 +6,7 @@ use std::path::Path;
 use std::pin::Pin;
 use std::task::{Context, Poll};
 
-use sqlx_rt::{
-    fs,
-    native_tls::{Certificate, TlsConnector},
-    AsyncRead, AsyncWrite, TlsStream,
-};
+use sqlx_rt::{fs, AsyncRead, AsyncWrite, TlsStream};
 
 use crate::error::Error;
 use std::mem::replace;
@@ -40,25 +36,12 @@ where
         accept_invalid_hostnames: bool,
         root_cert_path: Option<&Path>,
     ) -> Result<(), Error> {
-        let mut builder = TlsConnector::builder();
-        builder
-            .danger_accept_invalid_certs(accept_invalid_certs)
-            .danger_accept_invalid_hostnames(accept_invalid_hostnames);
-
-        if !accept_invalid_certs {
-            if let Some(ca) = root_cert_path {
-                let data = fs::read(ca).await?;
-                let cert = Certificate::from_pem(&data)?;
-
-                builder.add_root_certificate(cert);
-            }
-        }
-
-        #[cfg(not(feature = "_rt-async-std"))]
-        let connector = sqlx_rt::TlsConnector::from(builder.build()?);
-
-        #[cfg(feature = "_rt-async-std")]
-        let connector = sqlx_rt::TlsConnector::from(builder);
+        let connector = configure_tls_connector(
+            accept_invalid_certs,
+            accept_invalid_hostnames,
+            root_cert_path,
+        )
+        .await?;
 
         let stream = match replace(self, MaybeTlsStream::Upgrading) {
             MaybeTlsStream::Raw(stream) => stream,
@@ -75,12 +58,71 @@ where
             }
         };
 
+        #[cfg(feature = "_tls-rustls")]
+        let host = webpki::DNSNameRef::try_from_ascii_str(host)?;
+
         *self = MaybeTlsStream::Tls(connector.connect(host, stream).await?);
 
         Ok(())
     }
 }
 
+#[cfg(feature = "_tls-native-tls")]
+async fn configure_tls_connector(
+    accept_invalid_certs: bool,
+    accept_invalid_hostnames: bool,
+    root_cert_path: Option<&Path>,
+) -> Result<sqlx_rt::TlsConnector, Error> {
+    use sqlx_rt::native_tls::{Certificate, TlsConnector};
+
+    let mut builder = TlsConnector::builder();
+    builder
+        .danger_accept_invalid_certs(accept_invalid_certs)
+        .danger_accept_invalid_hostnames(accept_invalid_hostnames);
+
+    if !accept_invalid_certs {
+        if let Some(ca) = root_cert_path {
+            let data = fs::read(ca).await?;
+            let cert = Certificate::from_pem(&data)?;
+
+            builder.add_root_certificate(cert);
+        }
+    }
+
+    #[cfg(not(feature = "_rt-async-std"))]
+    let connector = builder.build()?.into();
+
+    #[cfg(feature = "_rt-async-std")]
+    let connector = builder.into();
+
+    Ok(connector)
+}
+
+#[cfg(feature = "_tls-rustls")]
+async fn configure_tls_connector(
+    _accept_invalid_certs: bool,
+    _accept_invalid_hostnames: bool,
+    root_cert_path: Option<&Path>,
+) -> Result<sqlx_rt::TlsConnector, Error> {
+    // FIXME: Support accept_invalid_certs / accept_invalid_hostnames
+
+    use rustls::ClientConfig;
+    use std::io::Cursor;
+    use std::sync::Arc;
+
+    let mut config = ClientConfig::new();
+
+    if let Some(ca) = root_cert_path {
+        let data = fs::read(ca).await?;
+        let mut cursor = Cursor::new(data);
+        config.root_store.add_pem_file(&mut cursor).map_err(|_| {
+            Error::Tls(format!("Invalid certificate file: {}", ca.display()).into())
+        })?;
+    }
+
+    Ok(Arc::new(config).into())
+}
+
 impl<S> AsyncRead for MaybeTlsStream<S>
 where
     S: Unpin + AsyncWrite + AsyncRead,
@@ -192,12 +234,15 @@ where
         match self {
             MaybeTlsStream::Raw(s) => s,
 
-            #[cfg(not(feature = "_rt-async-std"))]
-            MaybeTlsStream::Tls(s) => s.get_ref().get_ref().get_ref(),
+            #[cfg(feature = "_tls-rustls")]
+            MaybeTlsStream::Tls(s) => s.get_ref().0,
 
-            #[cfg(feature = "_rt-async-std")]
+            #[cfg(all(feature = "_rt-async-std", feature = "_tls-native-tls"))]
             MaybeTlsStream::Tls(s) => s.get_ref(),
 
+            #[cfg(all(not(feature = "_rt-async-std"), feature = "_tls-native-tls"))]
+            MaybeTlsStream::Tls(s) => s.get_ref().get_ref().get_ref(),
+
             MaybeTlsStream::Upgrading => panic!(io::Error::from(io::ErrorKind::ConnectionAborted)),
         }
     }
@@ -211,12 +256,15 @@ where
         match self {
             MaybeTlsStream::Raw(s) => s,
 
-            #[cfg(not(feature = "_rt-async-std"))]
-            MaybeTlsStream::Tls(s) => s.get_mut().get_mut().get_mut(),
+            #[cfg(feature = "_tls-rustls")]
+            MaybeTlsStream::Tls(s) => s.get_mut().0,
 
-            #[cfg(feature = "_rt-async-std")]
+            #[cfg(all(feature = "_rt-async-std", feature = "_tls-native-tls"))]
             MaybeTlsStream::Tls(s) => s.get_mut(),
 
+            #[cfg(all(not(feature = "_rt-async-std"), feature = "_tls-native-tls"))]
+            MaybeTlsStream::Tls(s) => s.get_mut().get_mut().get_mut(),
+
             MaybeTlsStream::Upgrading => panic!(io::Error::from(io::ErrorKind::ConnectionAborted)),
         }
     }

sqlx-core/src/net/tls.rs

@@ -24,6 +24,10 @@ runtime-actix-native-tls = [ "sqlx-core/runtime-actix-native-tls", "sqlx-rt/runt
 runtime-async-std-native-tls = [ "sqlx-core/runtime-async-std-native-tls", "sqlx-rt/runtime-async-std-native-tls", "_rt-async-std" ]
 runtime-tokio-native-tls = [ "sqlx-core/runtime-tokio-native-tls", "sqlx-rt/runtime-tokio-native-tls", "_rt-tokio" ]
 
+runtime-actix-rustls = [ "sqlx-core/runtime-actix-rustls", "sqlx-rt/runtime-actix-rustls", "_rt-actix" ]
+runtime-async-std-rustls = [ "sqlx-core/runtime-async-std-rustls", "sqlx-rt/runtime-async-std-rustls", "_rt-async-std" ]
+runtime-tokio-rustls = [ "sqlx-core/runtime-tokio-rustls", "sqlx-rt/runtime-tokio-rustls", "_rt-tokio" ]
+
 # for conditional compilation
 _rt-actix = []
 _rt-async-std = []

sqlx-macros/Cargo.toml

@@ -15,18 +15,25 @@ runtime-actix-native-tls = [ "_rt-actix", "_tls-native-tls", "tokio-native-tls"
 runtime-async-std-native-tls = [ "_rt-async-std", "_tls-native-tls", "async-native-tls" ]
 runtime-tokio-native-tls = [ "_rt-tokio", "_tls-native-tls", "tokio-native-tls" ]
 
+runtime-actix-rustls = [ "_rt-actix", "_tls-rustls", "tokio-rustls" ]
+runtime-async-std-rustls = [ "_rt-async-std", "_tls-rustls", "async-rustls" ]
+runtime-tokio-rustls = [ "_rt-tokio", "_tls-rustls", "tokio-rustls" ]
+
 # Not used directly and not re-exported from sqlx
 _rt-actix = [ "actix-rt", "actix-threadpool", "tokio", "once_cell" ]
 _rt-async-std = [ "async-std" ]
 _rt-tokio = [ "tokio", "once_cell" ]
 _tls-native-tls = [ "native-tls" ]
+_tls-rustls = [ ]
 
 [dependencies]
 async-native-tls = { version = "0.3.3", optional = true }
+async-rustls = { version = "0.1.1", optional = true }
 actix-rt = { version = "1.1.1", optional = true }
 actix-threadpool = { version = "0.3.2", optional = true }
-async-std = { version = "1.6.0", features = [ "unstable" ], optional = true }
+async-std = { version = "1.6.5", features = [ "unstable" ], optional = true }
 tokio = { version = "0.2.21", optional = true, features = [ "blocking", "stream", "fs", "tcp", "uds", "macros", "rt-core", "rt-threaded", "time", "dns", "io-util" ] }
 tokio-native-tls = { version = "0.1.0", optional = true }
+tokio-rustls = { version = "0.14.0", optional = true }
 native-tls = { version = "0.2.4", optional = true }
 once_cell = { version = "1.4", features = ["std"], optional = true }

sqlx-rt/Cargo.toml

@@ -2,20 +2,26 @@
     feature = "runtime-actix-native-tls",
     feature = "runtime-async-std-native-tls",
     feature = "runtime-tokio-native-tls",
+    feature = "runtime-actix-rustls",
+    feature = "runtime-async-std-rustls",
+    feature = "runtime-tokio-rustls",
 )))]
 compile_error!(
     "one of the features ['runtime-actix-native-tls', 'runtime-async-std-native-tls', \
-     'runtime-tokio-native-tls'] must be enabled"
+     'runtime-tokio-native-tls', 'runtime-actix-rustls', 'runtime-async-std-rustls', \
+     'runtime-tokio-rustls'] must be enabled"
 );
 
 #[cfg(any(
     all(feature = "_rt-actix", feature = "_rt-async-std"),
     all(feature = "_rt-actix", feature = "_rt-tokio"),
     all(feature = "_rt-async-std", feature = "_rt-tokio"),
+    all(feature = "_tls-native-tls", feature = "_tls-rustls"),
 ))]
 compile_error!(
     "only one of ['runtime-actix-native-tls', 'runtime-async-std-native-tls', \
-     'runtime-tokio-native-tls'] can be enabled"
+     'runtime-tokio-native-tls', 'runtime-actix-rustls', 'runtime-async-std-rustls', \
+     'runtime-tokio-rustls'] can be enabled"
 );
 
 #[cfg(all(feature = "_tls-native-tls"))]
@@ -78,10 +84,17 @@ mod tokio_runtime {
 #[cfg(all(
     feature = "_tls-native-tls",
     any(feature = "_rt-tokio", feature = "_rt-actix"),
-    not(feature = "_rt-async-std"),
+    not(any(feature = "_tls-rustls", feature = "_rt-async-std")),
 ))]
 pub use tokio_native_tls::{TlsConnector, TlsStream};
 
+#[cfg(all(
+    feature = "_tls-rustls",
+    any(feature = "_rt-tokio", feature = "_rt-actix"),
+    not(any(feature = "_tls-native-tls", feature = "_rt-async-std")),
+))]
+pub use tokio_rustls::{client::TlsStream, TlsConnector};
+
 //
 // tokio
 //
@@ -170,3 +183,14 @@ where
 
 #[cfg(all(feature = "async-native-tls", not(feature = "tokio-native-tls")))]
 pub use async_native_tls::{TlsConnector, TlsStream};
+
+#[cfg(all(
+    feature = "_tls-rustls",
+    feature = "_rt-async-std",
+    not(any(
+        feature = "_tls-native-tls",
+        feature = "_rt-tokio",
+        feature = "_rt-actix"
+    )),
+))]
+pub use async_rustls::{client::TlsStream, TlsConnector};

sqlx-rt/src/lib.rs

@@ -7,8 +7,8 @@
 ))]
 compile_error!(
     "the features 'runtime-actix', 'runtime-async-std' and 'runtime-tokio' have been removed in
-     favor of new features 'runtime-{rt}-{tls}' where rt is one of 'actix', 'async-std' and
-     'tokio'."
+     favor of new features 'runtime-{rt}-{tls}' where rt is one of 'actix', 'async-std' and 'tokio'
+     and 'tls' is one of 'native-tls' and 'rustls'."
 );
 
 pub use sqlx_core::acquire::Acquire;