mirror of
https://github.com/LemmyNet/lemmy.git
synced 2024-06-08 16:39:22 +00:00
Update rustls
This commit is contained in:
parent
db2ce81fc4
commit
acd541a0e9
661
Cargo.lock
generated
661
Cargo.lock
generated
File diff suppressed because it is too large
Load diff
|
@ -157,10 +157,10 @@ ts-rs = { version = "7.1.1", features = [
|
||||||
"chrono-impl",
|
"chrono-impl",
|
||||||
"no-serde-warnings",
|
"no-serde-warnings",
|
||||||
] }
|
] }
|
||||||
rustls = { version = "0.21.11", features = ["dangerous_configuration"] }
|
rustls = { version = "0.23.5", features = ["ring"] }
|
||||||
futures-util = "0.3.30"
|
futures-util = "0.3.30"
|
||||||
tokio-postgres = "0.7.10"
|
tokio-postgres = "0.7.10"
|
||||||
tokio-postgres-rustls = "0.10.0"
|
tokio-postgres-rustls = "0.12.0"
|
||||||
urlencoding = "2.1.3"
|
urlencoding = "2.1.3"
|
||||||
enum-map = "2.7"
|
enum-map = "2.7"
|
||||||
moka = { version = "0.12.7", features = ["future"] }
|
moka = { version = "0.12.7", features = ["future"] }
|
||||||
|
|
|
@ -7,20 +7,17 @@ use diesel::{
|
||||||
query_builder::{Query, QueryFragment},
|
query_builder::{Query, QueryFragment},
|
||||||
query_dsl::methods::LimitDsl,
|
query_dsl::methods::LimitDsl,
|
||||||
result::{
|
result::{
|
||||||
ConnectionError,
|
ConnectionError, ConnectionResult,
|
||||||
ConnectionResult,
|
|
||||||
Error::{self as DieselError, QueryBuilderError},
|
Error::{self as DieselError, QueryBuilderError},
|
||||||
},
|
},
|
||||||
sql_types::{self, Timestamptz},
|
sql_types::{self, Timestamptz},
|
||||||
IntoSql,
|
IntoSql, OptionalExtension,
|
||||||
OptionalExtension,
|
|
||||||
};
|
};
|
||||||
use diesel_async::{
|
use diesel_async::{
|
||||||
pg::AsyncPgConnection,
|
pg::AsyncPgConnection,
|
||||||
pooled_connection::{
|
pooled_connection::{
|
||||||
deadpool::{Hook, HookError, Object as PooledConnection, Pool},
|
deadpool::{Hook, HookError, Object as PooledConnection, Pool},
|
||||||
AsyncDieselConnectionManager,
|
AsyncDieselConnectionManager, ManagerConfig,
|
||||||
ManagerConfig,
|
|
||||||
},
|
},
|
||||||
SimpleAsyncConnection,
|
SimpleAsyncConnection,
|
||||||
};
|
};
|
||||||
|
@ -33,13 +30,17 @@ use lemmy_utils::{
|
||||||
use once_cell::sync::Lazy;
|
use once_cell::sync::Lazy;
|
||||||
use regex::Regex;
|
use regex::Regex;
|
||||||
use rustls::{
|
use rustls::{
|
||||||
client::{ServerCertVerified, ServerCertVerifier},
|
client::danger::{
|
||||||
ServerName,
|
DangerousClientConfigBuilder, HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier,
|
||||||
|
},
|
||||||
|
crypto::{self, verify_tls12_signature, verify_tls13_signature},
|
||||||
|
pki_types::{CertificateDer, ServerName, UnixTime},
|
||||||
|
ClientConfig, DigitallySignedStruct, SignatureScheme,
|
||||||
};
|
};
|
||||||
use std::{
|
use std::{
|
||||||
ops::{Deref, DerefMut},
|
ops::{Deref, DerefMut},
|
||||||
sync::Arc,
|
sync::Arc,
|
||||||
time::{Duration, SystemTime},
|
time::Duration,
|
||||||
};
|
};
|
||||||
use tracing::error;
|
use tracing::error;
|
||||||
use url::Url;
|
use url::Url;
|
||||||
|
@ -312,10 +313,11 @@ pub fn diesel_option_overwrite_to_url_create(opt: &Option<String>) -> LemmyResul
|
||||||
|
|
||||||
fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConnection>> {
|
fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConnection>> {
|
||||||
let fut = async {
|
let fut = async {
|
||||||
let rustls_config = rustls::ClientConfig::builder()
|
let rustls_config = DangerousClientConfigBuilder {
|
||||||
.with_safe_defaults()
|
cfg: ClientConfig::builder(),
|
||||||
.with_custom_certificate_verifier(Arc::new(NoCertVerifier {}))
|
}
|
||||||
.with_no_client_auth();
|
.with_custom_certificate_verifier(Arc::new(NoCertVerifier {}))
|
||||||
|
.with_no_client_auth();
|
||||||
|
|
||||||
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);
|
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);
|
||||||
let (client, conn) = tokio_postgres::connect(config, tls)
|
let (client, conn) = tokio_postgres::connect(config, tls)
|
||||||
|
@ -338,21 +340,55 @@ fn establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgConne
|
||||||
fut.boxed()
|
fut.boxed()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
struct NoCertVerifier {}
|
struct NoCertVerifier {}
|
||||||
|
|
||||||
impl ServerCertVerifier for NoCertVerifier {
|
impl ServerCertVerifier for NoCertVerifier {
|
||||||
fn verify_server_cert(
|
fn verify_server_cert(
|
||||||
&self,
|
&self,
|
||||||
_end_entity: &rustls::Certificate,
|
_end_entity: &CertificateDer,
|
||||||
_intermediates: &[rustls::Certificate],
|
_intermediates: &[CertificateDer],
|
||||||
_server_name: &ServerName,
|
_server_name: &ServerName,
|
||||||
_scts: &mut dyn Iterator<Item = &[u8]>,
|
_ocsp: &[u8],
|
||||||
_ocsp_response: &[u8],
|
_now: UnixTime,
|
||||||
_now: SystemTime,
|
|
||||||
) -> Result<ServerCertVerified, rustls::Error> {
|
) -> Result<ServerCertVerified, rustls::Error> {
|
||||||
// Will verify all (even invalid) certs without any checks (sslmode=require)
|
// Will verify all (even invalid) certs without any checks (sslmode=require)
|
||||||
Ok(ServerCertVerified::assertion())
|
Ok(ServerCertVerified::assertion())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn verify_tls12_signature(
|
||||||
|
&self,
|
||||||
|
message: &[u8],
|
||||||
|
cert: &CertificateDer,
|
||||||
|
dss: &DigitallySignedStruct,
|
||||||
|
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||||
|
verify_tls12_signature(
|
||||||
|
message,
|
||||||
|
cert,
|
||||||
|
dss,
|
||||||
|
&crypto::ring::default_provider().signature_verification_algorithms,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn verify_tls13_signature(
|
||||||
|
&self,
|
||||||
|
message: &[u8],
|
||||||
|
cert: &CertificateDer,
|
||||||
|
dss: &DigitallySignedStruct,
|
||||||
|
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||||
|
verify_tls13_signature(
|
||||||
|
message,
|
||||||
|
cert,
|
||||||
|
dss,
|
||||||
|
&crypto::ring::default_provider().signature_verification_algorithms,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
|
||||||
|
crypto::ring::default_provider()
|
||||||
|
.signature_verification_algorithms
|
||||||
|
.supported_schemes()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn build_db_pool() -> LemmyResult<ActualDbPool> {
|
pub async fn build_db_pool() -> LemmyResult<ActualDbPool> {
|
||||||
|
|
Loading…
Reference in a new issue