feat(mysql): add aws-lc-rs backend for RSA auth and FIPS TLS support

Cargo.toml

@@ -102,6 +102,7 @@ runtime-tokio = ["_rt-tokio", "sqlx-core/_rt-tokio", "sqlx-macros?/_rt-tokio"]
 tls-native-tls = ["sqlx-core/_tls-native-tls", "sqlx-macros?/_tls-native-tls"]
 tls-rustls = ["tls-rustls-ring"] # For backwards compatibility
 tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs", "sqlx-macros?/_tls-rustls-aws-lc-rs"]
+tls-rustls-aws-lc-rs-fips = ["sqlx-core/_tls-rustls-aws-lc-rs-fips", "sqlx-macros?/_tls-rustls-aws-lc-rs-fips"]
 tls-rustls-ring = ["tls-rustls-ring-webpki"] # For backwards compatibility
 tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki", "sqlx-macros?/_tls-rustls-ring-webpki"]
 tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots", "sqlx-macros?/_tls-rustls-ring-native-roots"]
@@ -119,7 +120,9 @@ _sqlite = []
 # database
 any = ["sqlx-core/any", "sqlx-mysql?/any", "sqlx-postgres?/any", "sqlx-sqlite?/any"]
 postgres = ["sqlx-postgres", "sqlx-macros?/postgres"]
-mysql = ["sqlx-mysql", "sqlx-macros?/mysql"]
+mysql = ["sqlx-mysql", "sqlx-mysql/rsa", "sqlx-macros?/mysql"]
+mysql-auth-rsa-aws-lc-rs = ["sqlx-mysql", "sqlx-mysql/rsa-aws-lc-rs", "sqlx-macros?/mysql-rsa-aws-lc-rs"]
+mysql-auth-rsa-aws-lc-rs-fips = ["sqlx-mysql", "sqlx-mysql/rsa-aws-lc-rs-fips", "sqlx-macros?/mysql-rsa-aws-lc-rs-fips"]
 sqlite = ["sqlite-bundled", "sqlite-deserialize", "sqlite-load-extension", "sqlite-unlock-notify"]
 
 # SQLite base features
@@ -168,7 +171,7 @@ sqlx-macros-core = { version = "=0.9.0-alpha.1", path = "sqlx-macros-core" }
 sqlx-macros = { version = "=0.9.0-alpha.1", path = "sqlx-macros" }
 
 # Driver crates
-sqlx-mysql = { version = "=0.9.0-alpha.1", path = "sqlx-mysql" }
+sqlx-mysql = { version = "=0.9.0-alpha.1", path = "sqlx-mysql", default-features = false }
 sqlx-postgres = { version = "=0.9.0-alpha.1", path = "sqlx-postgres" }
 sqlx-sqlite = { version = "=0.9.0-alpha.1", path = "sqlx-sqlite" }
 
@@ -214,7 +217,7 @@ default-features = false
 sqlx-core = { workspace = true, features = ["offline", "migrate"] }
 sqlx-macros = { workspace = true, optional = true }
 
-sqlx-mysql = { workspace = true, optional = true }
+sqlx-mysql = { workspace = true, optional = true, default-features = false }
 sqlx-postgres = { workspace = true, optional = true }
 sqlx-sqlite = { workspace = true, optional = true }
 
@@ -401,6 +404,16 @@ name = "mysql-rustsec"
 path = "tests/mysql/rustsec.rs"
 required-features = ["mysql"]
 
+[[test]]
+name = "mysql-rustsec-aws-lc-rs"
+path = "tests/mysql/rustsec.rs"
+required-features = ["mysql-auth-rsa-aws-lc-rs"]
+
+[[test]]
+name = "mysql-rustsec-aws-lc-rs-fips"
+path = "tests/mysql/rustsec.rs"
+required-features = ["mysql-auth-rsa-aws-lc-rs-fips"]
+
 #
 # PostgreSQL
 #

README.md

@@ -172,10 +172,15 @@ be removed in the future.
 -   `tls-native-tls`: Use the `native-tls` TLS backend (OpenSSL on *nix, SChannel on Windows, Secure Transport on macOS).
 
 -   `tls-rustls`: Use the `rustls` TLS backend (cross-platform backend, only supports TLS 1.2 and 1.3).
+-   `tls-rustls-aws-lc-rs`: Use the `rustls` TLS backend with `aws-lc-rs` (non-fips).
+-   `tls-rustls-aws-lc-rs-fips`: Use the `rustls` TLS backend with the `aws-lc-rs` FIPS module. Requires Go/CMake and a supported target (x86_64/aarch64 Linux or macOS); do not combine with `tls-rustls-aws-lc-rs`.
 
 -   `postgres`: Add support for the Postgres database server.
 
 -   `mysql`: Add support for the MySQL/MariaDB database server.
+-   `mysql-auth-rsa-aws-lc-rs`: MySQL/MariaDB RSA password encryption for `caching_sha2_password`/`sha256_password` when TLS is off; uses `aws-lc-rs` (`non-fips`, not FIPS-validated) instead of `rsa`.
+-   `mysql-auth-rsa-aws-lc-rs-fips`: MySQL/MariaDB RSA password encryption for `caching_sha2_password`/`sha256_password` when TLS is off; uses the `aws-lc-rs` `fips` module. Requires Go/CMake and a supported target (x86_64/aarch64 Linux or macOS); avoid combining with `tls-rustls-aws-lc-rs` (non-fips).
+    * `mysql`, `mysql-auth-rsa-aws-lc-rs`, and `mysql-auth-rsa-aws-lc-rs-fips` are mutually exclusive; choose one backend.
 
 -   `mssql`: Add support for the MSSQL database server.
 

sqlx-core/Cargo.toml

@@ -29,6 +29,7 @@ _rt-tokio = ["tokio", "tokio-stream"]
 
 _tls-native-tls = ["native-tls"]
 _tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs", "webpki-roots"]
+_tls-rustls-aws-lc-rs-fips = ["_tls-rustls", "rustls/fips", "webpki-roots"]
 _tls-rustls-ring-webpki = ["_tls-rustls", "rustls/ring", "webpki-roots"]
 _tls-rustls-ring-native-roots = ["_tls-rustls", "rustls/ring", "rustls-native-certs"]
 _tls-rustls = ["rustls"]

sqlx-core/src/lib.rs

@@ -22,6 +22,14 @@
 // <https://doc.rust-lang.org/unstable-book/language-features/doc-cfg.html>
 #![cfg_attr(docsrs, feature(doc_cfg))]
 
+#[cfg(all(
+    feature = "_tls-rustls-aws-lc-rs",
+    feature = "_tls-rustls-aws-lc-rs-fips"
+))]
+compile_error!(
+    "features `_tls-rustls-aws-lc-rs` and `_tls-rustls-aws-lc-rs-fips` are mutually exclusive"
+);
+
 #[macro_use]
 pub mod ext;
 

sqlx-core/src/net/tls/tls_rustls.rs

@@ -92,7 +92,10 @@ where
     S: Socket,
 {
     #[cfg(all(
-        feature = "_tls-rustls-aws-lc-rs",
+        any(
+            feature = "_tls-rustls-aws-lc-rs",
+            feature = "_tls-rustls-aws-lc-rs-fips"
+        ),
         not(feature = "_tls-rustls-ring-webpki"),
         not(feature = "_tls-rustls-ring-native-roots")
     ))]

sqlx-macros-core/Cargo.toml

@@ -19,6 +19,7 @@ _rt-tokio = ["tokio", "sqlx-core/_rt-tokio"]
 
 _tls-native-tls = ["sqlx-core/_tls-native-tls"]
 _tls-rustls-aws-lc-rs = ["sqlx-core/_tls-rustls-aws-lc-rs"]
+_tls-rustls-aws-lc-rs-fips = ["sqlx-core/_tls-rustls-aws-lc-rs-fips"]
 _tls-rustls-ring-webpki = ["sqlx-core/_tls-rustls-ring-webpki"]
 _tls-rustls-ring-native-roots = ["sqlx-core/_tls-rustls-ring-native-roots"]
 
@@ -32,7 +33,9 @@ migrate = ["sqlx-core/migrate"]
 sqlx-toml = ["sqlx-core/sqlx-toml", "sqlx-sqlite?/sqlx-toml"]
 
 # database
-mysql = ["sqlx-mysql"]
+mysql = ["sqlx-mysql", "sqlx-mysql/rsa"]
+mysql-rsa-aws-lc-rs = ["sqlx-mysql", "sqlx-mysql/rsa-aws-lc-rs"]
+mysql-rsa-aws-lc-rs-fips = ["sqlx-mysql", "sqlx-mysql/rsa-aws-lc-rs-fips"]
 postgres = ["sqlx-postgres"]
 sqlite = ["_sqlite", "sqlx-sqlite/bundled"]
 sqlite-unbundled = ["_sqlite", "sqlx-sqlite/unbundled"]
@@ -55,7 +58,7 @@ uuid = ["sqlx-core/uuid", "sqlx-mysql?/uuid", "sqlx-postgres?/uuid", "sqlx-sqlit
 
 [dependencies]
 sqlx-core = { workspace = true, features = ["offline"] }
-sqlx-mysql = { workspace = true, features = ["offline", "migrate"], optional = true }
+sqlx-mysql = { workspace = true, features = ["offline", "migrate"], optional = true, default-features = false }
 sqlx-postgres = { workspace = true, features = ["offline", "migrate"], optional = true }
 sqlx-sqlite = { workspace = true, features = ["offline", "migrate"], optional = true }
 

sqlx-macros-core/src/database/impls.rs

@@ -40,7 +40,11 @@ macro_rules! impl_describe_blocking {
 
 // The paths below will also be emitted from the macros, so they need to match the final facade.
 mod sqlx {
-    #[cfg(feature = "mysql")]
+    #[cfg(any(
+        feature = "mysql",
+        feature = "mysql-rsa-aws-lc-rs",
+        feature = "mysql-rsa-aws-lc-rs-fips"
+    ))]
     pub use sqlx_mysql as mysql;
 
     #[cfg(feature = "postgres")]
@@ -51,7 +55,11 @@ mod sqlx {
 }
 
 // NOTE: type mappings have been moved to `src/type_checking.rs` in their respective driver crates.
-#[cfg(feature = "mysql")]
+#[cfg(any(
+    feature = "mysql",
+    feature = "mysql-rsa-aws-lc-rs",
+    feature = "mysql-rsa-aws-lc-rs-fips"
+))]
 impl_database_ext! {
     sqlx::mysql::MySql,
     row: sqlx::mysql::MySqlRow,

sqlx-macros-core/src/database/mod.rs

@@ -10,7 +10,13 @@ use std::collections::hash_map;
 use std::collections::HashMap;
 use std::sync::{LazyLock, Mutex};
 
-#[cfg(any(feature = "postgres", feature = "mysql", feature = "_sqlite"))]
+#[cfg(any(
+    feature = "postgres",
+    feature = "_sqlite",
+    feature = "mysql",
+    feature = "mysql-rsa-aws-lc-rs",
+    feature = "mysql-rsa-aws-lc-rs-fips"
+))]
 mod impls;
 
 pub trait DatabaseExt: Database + TypeChecking {

sqlx-macros-core/src/derives/decode.rs

@@ -179,7 +179,11 @@ fn expand_derive_decode_strong_enum(
 
     let mut tts = TokenStream::new();
 
-    if cfg!(feature = "mysql") {
+    if cfg!(any(
+        feature = "mysql",
+        feature = "mysql-rsa-aws-lc-rs",
+        feature = "mysql-rsa-aws-lc-rs-fips"
+    )) {
         tts.extend(quote!(
             #[automatically_derived]
             impl<'r> ::sqlx::decode::Decode<'r, ::sqlx::mysql::MySql> for #ident {

sqlx-macros-core/src/derives/type.rs

@@ -186,7 +186,11 @@ fn expand_derive_has_sql_type_strong_enum(
     let ident = &input.ident;
     let mut tts = TokenStream::new();
 
-    if cfg!(feature = "mysql") {
+    if cfg!(any(
+        feature = "mysql",
+        feature = "mysql-rsa-aws-lc-rs",
+        feature = "mysql-rsa-aws-lc-rs-fips"
+    )) {
         tts.extend(quote!(
             #[automatically_derived]
             impl ::sqlx::Type<::sqlx::MySql> for #ident {

sqlx-macros-core/src/lib.rs

@@ -46,7 +46,11 @@ pub mod migrate;
 
 #[cfg(feature = "macros")]
 pub const FOSS_DRIVERS: &[QueryDriver] = &[
-    #[cfg(feature = "mysql")]
+    #[cfg(any(
+        feature = "mysql",
+        feature = "mysql-rsa-aws-lc-rs",
+        feature = "mysql-rsa-aws-lc-rs-fips"
+    ))]
     QueryDriver::new::<sqlx_mysql::MySql>(),
     #[cfg(feature = "postgres")]
     QueryDriver::new::<sqlx_postgres::Postgres>(),

sqlx-macros/Cargo.toml

@@ -22,6 +22,7 @@ _rt-tokio = ["sqlx-macros-core/_rt-tokio"]
 
 _tls-native-tls = ["sqlx-macros-core/_tls-native-tls"]
 _tls-rustls-aws-lc-rs = ["sqlx-macros-core/_tls-rustls-aws-lc-rs"]
+_tls-rustls-aws-lc-rs-fips = ["sqlx-macros-core/_tls-rustls-aws-lc-rs-fips"]
 _tls-rustls-ring-webpki = ["sqlx-macros-core/_tls-rustls-ring-webpki"]
 _tls-rustls-ring-native-roots = ["sqlx-macros-core/_tls-rustls-ring-native-roots"]
 
@@ -34,6 +35,8 @@ sqlx-toml = ["sqlx-macros-core/sqlx-toml"]
 
 # database
 mysql = ["sqlx-macros-core/mysql"]
+mysql-rsa-aws-lc-rs = ["sqlx-macros-core/mysql-rsa-aws-lc-rs"]
+mysql-rsa-aws-lc-rs-fips = ["sqlx-macros-core/mysql-rsa-aws-lc-rs-fips"]
 postgres = ["sqlx-macros-core/postgres"]
 sqlite = ["sqlx-macros-core/sqlite"]
 sqlite-unbundled = ["sqlx-macros-core/sqlite-unbundled"]

sqlx-mysql/Cargo.toml

@@ -10,10 +10,14 @@ repository.workspace = true
 rust-version.workspace = true
 
 [features]
+default = ["rsa"]
 json = ["sqlx-core/json", "serde"]
 any = ["sqlx-core/any"]
 offline = ["sqlx-core/offline", "serde/derive"]
 migrate = ["sqlx-core/migrate"]
+rsa = ["dep:rand", "dep:rsa"]
+rsa-aws-lc-rs = ["dep:aws-lc-rs", "aws-lc-rs/non-fips", "aws-lc-rs/alloc"]
+rsa-aws-lc-rs-fips = ["dep:aws-lc-rs", "aws-lc-rs/fips", "aws-lc-rs/alloc"]
 
 # Type Integration features
 bigdecimal = ["dep:bigdecimal", "sqlx-core/bigdecimal"]
@@ -37,10 +41,11 @@ digest = { version = "0.10.0", default-features = false, features = ["std"] }
 hkdf = "0.12.0"
 hmac = { version = "0.12.0", default-features = false }
 md-5 = { version = "0.10.0", default-features = false }
-rand = { version = "0.8.4", default-features = false, features = ["std", "std_rng"] }
-rsa = "0.9"
+rand = { version = "0.8.4", default-features = false, features = ["std", "std_rng"], optional = true }
+rsa = { version = "0.9", optional = true }
 sha1 = { version = "0.10.1", default-features = false }
 sha2 = { version = "0.10.0", default-features = false }
+aws-lc-rs = { version = "1.15", default-features = false, optional = true }
 
 # Type Integrations (versions inherited from `[workspace.dependencies]`)
 bigdecimal = { workspace = true, optional = true }
@@ -65,7 +70,7 @@ percent-encoding = "2.1.0"
 smallvec = "1.7.0"
 stringprep = "0.1.2"
 tracing = { version = "0.1.37", features = ["log"] }
-whoami = { version = "1.2.1", default-features = false }
+whoami = { version = "1.6.1", default-features = false }
 
 dotenvy.workspace = true
 thiserror.workspace = true
@@ -74,7 +79,7 @@ serde = { version = "1.0.144", optional = true }
 
 [dev-dependencies]
 # FIXME: https://github.com/rust-lang/cargo/issues/15622
-sqlx = { path = "..", default-features = false, features = ["mysql"] }
+sqlx = { path = "..", default-features = false }
 
 [lints]
 workspace = true