mirrors/lemmy
1
0
Fork 0
mirror of https://github.com/LemmyNet/lemmy.git synced 2024-06-08 16:39:22 +00:00
Code Issues Projects Releases Wiki Activity

Update rustls

Browse source
This commit is contained in:
SleeplessOne1917 2024-05-02 00:02:02 -04:00
parent db2ce81fc4
commit acd541a0e9
3 changed files with 483 additions and 254 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

661
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

4
Cargo.toml
View file

@ -157,10 +157,10 @@ ts-rs = { version = "7.1.1", features = [
"chrono-impl", "chrono-impl",
"no-serde-warnings", "no-serde-warnings",
] } ] }
rustls = { version = "0.21.11", features = ["dangerous_configuration"] } rustls = { version = "0.23.5", features = ["ring"] }
futures-util = "0.3.30" futures-util = "0.3.30"
tokio-postgres = "0.7.10" tokio-postgres = "0.7.10"
tokio-postgres-rustls = "0.10.0" tokio-postgres-rustls = "0.12.0"
urlencoding = "2.1.3" urlencoding = "2.1.3"
enum-map = "2.7" enum-map = "2.7"
moka = { version = "0.12.7", features = ["future"] } moka = { version = "0.12.7", features = ["future"] }

72
crates/db_schema/src/utils.rs
View file

@ -7,20 +7,17 @@ use diesel::{
query_builder::{Query, QueryFragment}, query_builder::{Query, QueryFragment},
query_dsl::methods::LimitDsl, query_dsl::methods::LimitDsl,
result::{ result::{
ConnectionError, ConnectionError, ConnectionResult,
ConnectionResult,
Error::{self as DieselError, QueryBuilderError}, Error::{self as DieselError, QueryBuilderError},
}, },
sql_types::{self, Timestamptz}, sql_types::{self, Timestamptz},
IntoSql, IntoSql, OptionalExtension,
OptionalExtension,
}; };
use diesel_async::{ use diesel_async::{
pg::AsyncPgConnection, pg::AsyncPgConnection,
pooled_connection::{ pooled_connection::{
deadpool::{Hook, HookError, Object as PooledConnection, Pool}, deadpool::{Hook, HookError, Object as PooledConnection, Pool},
AsyncDieselConnectionManager, AsyncDieselConnectionManager, ManagerConfig,
ManagerConfig,
}, },
SimpleAsyncConnection, SimpleAsyncConnection,
}; };
@ -33,13 +30,17 @@ use lemmy_utils::{
use once_cell::sync::Lazy; use once_cell::sync::Lazy;
use regex::Regex; use regex::Regex;
use rustls::{ use rustls::{
client::{ServerCertVerified, ServerCertVerifier}, client::danger::{
ServerName, DangerousClientConfigBuilder, HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier,
},
crypto::{self, verify_tls12_signature, verify_tls13_signature},
pki_types::{CertificateDer, ServerName, UnixTime},
ClientConfig, DigitallySignedStruct, SignatureScheme,
}; };
use std::{ use std::{
ops::{Deref, DerefMut}, ops::{Deref, DerefMut},
sync::Arc, sync::Arc,
time::{Duration, SystemTime}, time::Duration,
}; };
use tracing::error; use tracing::error;
use url::Url; use url::Url;
@ -312,10 +313,11 @@ pub fn diesel_option_overwrite_to_url_create(opt: &Option<String>) -> LemmyResul
fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConnection>> { fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConnection>> {
let fut = async { let fut = async {
let rustls_config = rustls::ClientConfig::builder() let rustls_config = DangerousClientConfigBuilder {
.with_safe_defaults() cfg: ClientConfig::builder(),
.with_custom_certificate_verifier(Arc::new(NoCertVerifier {})) }
.with_no_client_auth(); .with_custom_certificate_verifier(Arc::new(NoCertVerifier {}))
.with_no_client_auth();
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config); let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);
let (client, conn) = tokio_postgres::connect(config, tls) let (client, conn) = tokio_postgres::connect(config, tls)
@ -338,21 +340,55 @@ fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConne
fut.boxed() fut.boxed()
} }
#[derive(Debug)]
struct NoCertVerifier {} struct NoCertVerifier {}
impl ServerCertVerifier for NoCertVerifier { impl ServerCertVerifier for NoCertVerifier {
fn verify_server_cert( fn verify_server_cert(
&self, &self,
_end_entity: &rustls::Certificate, _end_entity: &CertificateDer,
_intermediates: &[rustls::Certificate], _intermediates: &[CertificateDer],
_server_name: &ServerName, _server_name: &ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>, _ocsp: &[u8],
_ocsp_response: &[u8], _now: UnixTime,
_now: SystemTime,
) -> Result<ServerCertVerified, rustls::Error> { ) -> Result<ServerCertVerified, rustls::Error> {
// Will verify all (even invalid) certs without any checks (sslmode=require) // Will verify all (even invalid) certs without any checks (sslmode=require)
Ok(ServerCertVerified::assertion()) Ok(ServerCertVerified::assertion())
} }
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls12_signature(
message,
cert,
dss,
&crypto::ring::default_provider().signature_verification_algorithms,
)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls13_signature(
message,
cert,
dss,
&crypto::ring::default_provider().signature_verification_algorithms,
)
}
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
crypto::ring::default_provider()
.signature_verification_algorithms
.supported_schemes()
}
} }
pub async fn build_db_pool() -> LemmyResult<ActualDbPool> { pub async fn build_db_pool() -> LemmyResult<ActualDbPool> {