Python Linux wheel now vendors Rustls

Instead of OpenSSL: same security issues and easier compilation
3 years ago · 177f0201c4
parent e5816630d4
commit 177f0201c4
6 changed files with 94 additions and 32 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -94,7 +94,7 @@ jobs:
        with:
          manylinux: auto
          command: build
-          args: -m python/Cargo.toml --cargo-extra-args="--features vendored"
+          args: -m python/Cargo.toml --cargo-extra-args="--no-default-features --features vendored"

  python_wheel_mac:
    runs-on: macos-latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -101,7 +101,7 @@ jobs:
        with:
          manylinux: auto
          command: publish
-          args: -m python/Cargo.toml --cargo-extra-args="--features vendored" -u __token__ -p ${{ secrets.PYPI_PASSWORD }}
+          args: -m python/Cargo.toml --cargo-extra-args="--no-default-features --features vendored" -u __token__ -p ${{ secrets.PYPI_PASSWORD }}
  publish_pypi_mac:
    runs-on: macos-latest
    needs: publish_lib_crate
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1389,24 +1389,6 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a"

-[[package]]
-name = "openssl-src"
-version = "111.16.0+1.1.1l"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ab2173f69416cf3ec12debb5823d244127d23a9b127d5a5189aa97c5fa2859f"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-src"
-version = "300.0.2+3.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14a760a11390b1a5daf72074d4f6ff1a6e772534ae191f999f57e9ee8146d1fb"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "openssl-sys"
 version = "0.9.71"
@ -1416,19 +1398,20 @@ dependencies = [
 "autocfg",
 "cc",
 "libc",
- "openssl-src 300.0.2+3.0.0",
 "pkg-config",
 "vcpkg",
 ]

 [[package]]
 name = "oxhttp"
-version = "0.1.2"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac44cb5f8da7f26cdcf0297c7c66d06c927d0d97edac5d62c670a99cf992fd4e"
+checksum = "a383bc499356ce6bc89ea95695c08f68e6c8602923fab7862ffcec94f8ef5502"
 dependencies = [
 "httparse",
 "native-tls",
+ "rustls",
+ "rustls-native-certs",
 "url",
 ]

@ -1790,8 +1773,7 @@ dependencies = [
 name = "pyoxigraph"
 version = "0.3.0-dev"
 dependencies = [
- "native-tls",
- "openssl-src 111.16.0+1.1.1l",
+ "oxhttp",
 "oxigraph",
 "pyo3",
 ]
@ -1967,6 +1949,21 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bd69ab1e90258b7769f0b5c46bfd802b8206d0707ced4ca4b9d5681b744de1be"

+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin",
+ "untrusted",
+ "web-sys",
+ "winapi 0.3.9",
+]
+
 [[package]]
 name = "rio_api"
 version = "0.6.1"
@ -2020,6 +2017,39 @@ dependencies = [
 "semver 1.0.4",
 ]

+[[package]]
+name = "rustls"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84"
+dependencies = [
+ "log",
+ "ring",
+ "sct",
+ "webpki",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9"
+dependencies = [
+ "base64",
+]
+
 [[package]]
 name = "ryu"
 version = "1.0.6"
@ -2057,6 +2087,16 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"

+[[package]]
+name = "sct"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.4.2"
@ -2276,6 +2316,12 @@ dependencies = [
 "rand 0.8.4",
 ]

+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
 [[package]]
 name = "standback"
 version = "0.2.17"
@ -2567,6 +2613,12 @@ dependencies = [
 "subtle",
 ]

+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "url"
 version = "2.2.2"
@ -2737,6 +2789,16 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "wepoll-ffi"
 version = "0.1.2"
--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@ -55,7 +55,7 @@ getrandom = {version="0.2", features=["js"]}

 [dev-dependencies]
 criterion = "0.3"
-oxhttp = { version = "^0.1.2", features = ["native-tls"] }
+oxhttp = "0.1"
 sophia_api = { version = "0.7", features = ["test_macro"] }
 zstd = "0.9"

--- a/python/Cargo.toml
+++ b/python/Cargo.toml
@ -16,10 +16,10 @@ name = "pyoxigraph"
 doctest = false

 [dependencies]
-oxigraph = {version = "0.3.0-dev", path="../lib", features = ["http_client"]}
-pyo3 = {version = "0.15", features = ["extension-module", "abi3-py36"]}
-native-tls = "0.2"
-openssl-src = { version = "111.16.0+1.1.1l", optional = true }
+oxigraph = { version = "0.3.0-dev", path="../lib", features = ["http_client"] }
+pyo3 = { version = "0.15", features = ["extension-module", "abi3-py36"] }
+oxhttp = "0.1"

 [features]
-vendored = ["native-tls/vendored", "openssl-src"]
+default = ["oxhttp/native-tls"]
+vendored = ["oxhttp/rustls"]
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@ -12,7 +12,7 @@ Oxigraph SPARQL HTTP server
 edition = "2021"

 [dependencies]
-oxhttp = "0.1"
+oxhttp = { version = "0.1", features = ["native-tls"] }
 clap = "2"
 oxigraph = { version = "0.3.0-dev", path = "../lib", features = ["http_client"] }
 rand = "0.8"