Make TLS optional

This introduces a feature in Cargo.toml to enable TLS support to be
optional.  Various code has either been conditioned on the new feature,
or moved into the tls module if it's only ever used for TLS.

Author: mjgarton

Cargo.toml

@@ -17,6 +17,10 @@ categories = ["api-bindings", "network-programming", "database-implementations"]
 
 license = "MIT/Apache-2.0"
 
+[features]
+default = ["tls"]
+tls = ["rustls"]
+
 [badges]
 azure-devops = { project = "jonhoo/jonhoo", pipeline = "msql-srv", build = "27" }
 codecov = { repository = "jonhoo/msql-srv", branch = "master", service = "github" }
@@ -28,7 +32,7 @@ mysql_common = "0.22"
 byteorder = "1"
 chrono = "0.4"
 time = "0.2.25"
-rustls = "0.20.0"
+rustls = {version = "0.20.0", optional=true}
 
 [dev-dependencies]
 postgres = "0.19.1"

src/lib.rs

@@ -100,7 +100,6 @@ use std::io;
 use std::io::prelude::*;
 use std::iter;
 use std::net;
-use std::sync::Arc;
 
 use myc::constants::CapabilityFlags;
 
@@ -111,6 +110,7 @@ mod errorcodes;
 mod packet;
 mod params;
 mod resultset;
+#[cfg(feature = "tls")]
 mod tls;
 mod value;
 mod writers;
@@ -190,7 +190,8 @@ pub trait MysqlShim<W: Read + Write> {
     }
 
     /// Provides the TLS configuration, if we want to support TLS.
-    fn tls_config(&self) -> Option<Arc<rustls::ServerConfig>> {
+    #[cfg(feature = "tls")]
+    fn tls_config(&self) -> Option<std::sync::Arc<rustls::ServerConfig>> {
         None
     }
 }
@@ -238,6 +239,7 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
     }
 
     fn init(&mut self) -> Result<(), B::Error> {
+        #[cfg(feature = "tls")]
         let tls_conf = self.shim.tls_config();
 
         self.rw.write_all(&[10])?; // protocol 10
@@ -248,6 +250,7 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
         self.rw.write_all(&[0x08, 0x00, 0x00, 0x00])?; // TODO: connection ID
         self.rw.write_all(&b";X,po_k}\0"[..])?; // auth seed
         let capabilities = &mut [0x00, 0x42]; // 4.1 proto
+        #[cfg(feature = "tls")]
         if tls_conf.is_some() {
             capabilities[1] |= 0x08; // SSL support flag
         }
@@ -293,6 +296,16 @@ impl<B: MysqlShim<RW>, RW: Read + Write> MysqlIntermediary<B, RW> {
 
             self.rw.set_seq(seq + 1);
 
+            #[cfg(not(feature = "tls"))]
+            if handshake.capabilities.contains(CapabilityFlags::CLIENT_SSL) {
+                return Err(io::Error::new(
+                    io::ErrorKind::InvalidData,
+                    "client requested SSL despite us not advertising support for it",
+                )
+                .into());
+            }
+
+            #[cfg(feature = "tls")]
             if handshake.capabilities.contains(CapabilityFlags::CLIENT_SSL) {
                 let config = tls_conf.ok_or_else(|| {
                     io::Error::new(

src/packet.rs

@@ -1,12 +1,16 @@
 use byteorder::{ByteOrder, LittleEndian};
-use rustls::{ServerConfig, ServerConnection};
+#[cfg(feature = "tls")]
+use rustls::ServerConfig;
 use std::io;
 use std::io::prelude::*;
 
 const U24_MAX: usize = 16_777_215;
 
 pub struct PacketConn<RW: Read + Write> {
-    rw: SwitchableConn<RW>,
+    #[cfg(feature = "tls")]
+    rw: tls::SwitchableConn<RW>,
+    #[cfg(not(feature = "tls"))]
+    rw: RW,
 
     // read variables
     bytes: Vec<u8>,
@@ -38,14 +42,17 @@ impl<W: Read + Write> Write for PacketConn<W> {
 
 impl<RW: Read + Write> PacketConn<RW> {
     pub fn new(rw: RW) -> Self {
+        #[cfg(feature = "tls")]
+        let rw = tls::SwitchableConn::new(rw);
+
         PacketConn {
             bytes: Vec::new(),
             start: 0,
             remaining: 0,
 
             to_write: vec![0, 0, 0, 0],
             seq: 0,
-            rw: SwitchableConn::new(rw),
+            rw,
         }
     }
 }
@@ -68,8 +75,9 @@ impl<W: Read + Write> PacketConn<W> {
         self.maybe_end_packet()
     }
 
-    pub fn switch_to_tls(&mut self, config: Arc<ServerConfig>) -> io::Result<()> {
-        assert_eq!(self.remaining(), 0); // otherwise we've read ahead into the TLS handshake and will be in trouble.
+    #[cfg(feature = "tls")]
+    pub fn switch_to_tls(&mut self, config: std::sync::Arc<ServerConfig>) -> io::Result<()> {
+        assert_eq!(self.remaining, 0); // otherwise we've read ahead into the TLS handshake and will be in trouble.
 
         self.rw.switch_to_tls(config)
     }
@@ -134,10 +142,6 @@ impl<R: Read + Write> PacketConn<R> {
             }
         }
     }
-
-    pub fn remaining(&self) -> usize {
-        self.remaining
-    }
 }
 
 pub fn fullpacket(i: &[u8]) -> nom::IResult<&[u8], (u8, &[u8])> {
@@ -171,9 +175,10 @@ impl AsRef<[u8]> for Packet {
 }
 
 use std::ops::Deref;
-use std::sync::Arc;
 
+#[cfg(feature = "tls")]
 use crate::tls;
+
 impl Deref for Packet {
     type Target = [u8];
     fn deref(&self) -> &Self::Target {
@@ -214,60 +219,6 @@ fn packet(i: &[u8]) -> nom::IResult<&[u8], (u8, Packet)> {
     )(i)
 }
 
-pub(crate) struct SwitchableConn<T: Read + Write>(Option<EitherConn<T>>);
-
-pub(crate) enum EitherConn<T: Read + Write> {
-    Plain(T),
-    TLS(rustls::StreamOwned<ServerConnection, T>),
-}
-
-impl<T: Read + Write> Read for SwitchableConn<T> {
-    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
-        match &mut self.0.as_mut().unwrap() {
-            EitherConn::Plain(p) => p.read(buf),
-            EitherConn::TLS(t) => t.read(buf),
-        }
-    }
-}
-
-impl<T: Read + Write> Write for SwitchableConn<T> {
-    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
-        match &mut self.0.as_mut().unwrap() {
-            EitherConn::Plain(p) => p.write(buf),
-            EitherConn::TLS(t) => t.write(buf),
-        }
-    }
-
-    fn flush(&mut self) -> io::Result<()> {
-        match &mut self.0.as_mut().unwrap() {
-            EitherConn::Plain(p) => p.flush(),
-            EitherConn::TLS(t) => t.flush(),
-        }
-    }
-}
-
-impl<T: Read + Write> SwitchableConn<T> {
-    pub fn new(rw: T) -> SwitchableConn<T> {
-        SwitchableConn(Some(EitherConn::Plain(rw)))
-    }
-
-    pub fn switch_to_tls(&mut self, config: Arc<ServerConfig>) -> io::Result<()> {
-        let replacement = match self.0.take() {
-            Some(EitherConn::Plain(plain)) => {
-                Ok(EitherConn::TLS(tls::create_stream(plain, config)?))
-            }
-            Some(EitherConn::TLS(_)) => Err(io::Error::new(
-                io::ErrorKind::Other,
-                "tls variant found when plain was expected",
-            )),
-            None => unreachable!(),
-        }?;
-
-        self.0 = Some(replacement);
-        Ok(())
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

src/tls.rs

@@ -12,3 +12,55 @@ pub fn create_stream<T: Read + Write + Sized>(
     let stream = rustls::StreamOwned { conn, sock };
     Ok(stream)
 }
+
+pub(crate) struct SwitchableConn<T: Read + Write>(Option<EitherConn<T>>);
+
+pub(crate) enum EitherConn<T: Read + Write> {
+    Plain(T),
+    TLS(rustls::StreamOwned<ServerConnection, T>),
+}
+
+impl<T: Read + Write> Read for SwitchableConn<T> {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        match &mut self.0.as_mut().unwrap() {
+            EitherConn::Plain(p) => p.read(buf),
+            EitherConn::TLS(t) => t.read(buf),
+        }
+    }
+}
+
+impl<T: Read + Write> Write for SwitchableConn<T> {
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        match &mut self.0.as_mut().unwrap() {
+            EitherConn::Plain(p) => p.write(buf),
+            EitherConn::TLS(t) => t.write(buf),
+        }
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        match &mut self.0.as_mut().unwrap() {
+            EitherConn::Plain(p) => p.flush(),
+            EitherConn::TLS(t) => t.flush(),
+        }
+    }
+}
+
+impl<T: Read + Write> SwitchableConn<T> {
+    pub fn new(rw: T) -> SwitchableConn<T> {
+        SwitchableConn(Some(EitherConn::Plain(rw)))
+    }
+
+    pub fn switch_to_tls(&mut self, config: Arc<ServerConfig>) -> io::Result<()> {
+        let replacement = match self.0.take() {
+            Some(EitherConn::Plain(plain)) => Ok(EitherConn::TLS(create_stream(plain, config)?)),
+            Some(EitherConn::TLS(_)) => Err(io::Error::new(
+                io::ErrorKind::Other,
+                "tls variant found when plain was expected",
+            )),
+            None => unreachable!(),
+        }?;
+
+        self.0 = Some(replacement);
+        Ok(())
+    }
+}

tests/main.rs

@@ -8,14 +8,11 @@ use mysql::prelude::*;
 use mysql::DriverError;
 use mysql::OptsBuilder;
 use mysql::SslOpts;
-use rcgen::generate_simple_self_signed;
-use rustls::Certificate;
-use rustls::PrivateKey;
-use rustls::ServerConfig;
+#[cfg(feature = "tls")]
+use rustls::{Certificate, PrivateKey, ServerConfig};
 use std::error::Error;
 use std::io;
 use std::net;
-use std::sync::Arc;
 use std::thread;
 
 use msql_srv::{
@@ -30,7 +27,8 @@ struct TestingShim<Q, P, E, I> {
     on_p: P,
     on_e: E,
     on_i: I,
-    server_tls: Option<Arc<rustls::ServerConfig>>,
+    #[cfg(feature = "tls")]
+    server_tls: Option<std::sync::Arc<rustls::ServerConfig>>,
     client_tls: Option<SslOpts>,
 }
 
@@ -75,8 +73,9 @@ where
         (self.on_q)(query, results)
     }
 
-    fn tls_config(&self) -> Option<Arc<rustls::ServerConfig>> {
-        self.server_tls.as_ref().map(Arc::clone)
+    #[cfg(feature = "tls")]
+    fn tls_config(&self) -> Option<std::sync::Arc<rustls::ServerConfig>> {
+        self.server_tls.as_ref().map(std::sync::Arc::clone)
     }
 }
 
@@ -97,6 +96,7 @@ where
             on_p,
             on_e,
             on_i,
+            #[cfg(feature = "tls")]
             server_tls: None,
             client_tls: None,
         }
@@ -112,10 +112,11 @@ where
         self
     }
 
+    #[cfg(feature = "tls")]
     fn with_server_tls(mut self) -> Self {
-        let cert = generate_simple_self_signed(vec!["localhost".to_string()]).unwrap();
+        let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_string()]).unwrap();
 
-        self.server_tls = Some(Arc::new(
+        self.server_tls = Some(std::sync::Arc::new(
             ServerConfig::builder()
                 .with_safe_defaults()
                 .with_no_client_auth()
@@ -180,6 +181,8 @@ fn it_connects() {
 }
 
 #[test]
+#[cfg(feature = "tls")]
+
 fn it_connects_tls_server_only() {
     // Client can connect ok without SSL when SSL is enabled on the server.
     TestingShim::new(
@@ -193,6 +196,8 @@ fn it_connects_tls_server_only() {
 }
 
 #[test]
+#[cfg(feature = "tls")]
+
 fn it_connects_tls_both() {
     // SSL connection when ssl enabled on server and used by client
     TestingShim::new(