Merge remote-tracking branch 'origin/master' into time-overflow

.github/workflows/ci.yml

@@ -73,16 +73,18 @@ jobs:
           path: target
           key: check-wasm32-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
       - run: cargo check --target wasm32-unknown-unknown --manifest-path tokio-postgres/Cargo.toml --no-default-features --features js
+        env:
+          RUSTFLAGS: --cfg getrandom_backend="wasm_js"
 
   test:
     name: test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: docker compose up -d
       - uses: sfackler/actions/rustup@master
         with:
-          version: 1.74.0
+          version: 1.75.0
       - run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
         id: rust-version
       - uses: actions/cache@v3

docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2'
 services:
   postgres:
-    image: postgres:14
+    image: docker.io/postgres:17
     ports:
       - 5433:5433
     volumes:

postgres-native-tls/Cargo.toml

@@ -16,7 +16,7 @@ default = ["runtime"]
 runtime = ["tokio-postgres/runtime"]
 
 [dependencies]
-native-tls = "0.2"
+native-tls = { version = "0.2", features = ["alpn"] }
 tokio = "1.0"
 tokio-native-tls = "0.3"
 tokio-postgres = { version = "0.7.11", path = "../tokio-postgres", default-features = false }

postgres-native-tls/src/lib.rs

@@ -53,6 +53,7 @@
 //! ```
 #![warn(rust_2018_idioms, clippy::all, missing_docs)]
 
+use native_tls::TlsConnectorBuilder;
 use std::future::Future;
 use std::io;
 use std::pin::Pin;
@@ -180,3 +181,10 @@ where
         }
     }
 }
+
+/// Set ALPN for `TlsConnectorBuilder`
+///
+/// This is required when using `sslnegotiation=direct`
+pub fn set_postgresql_alpn(builder: &mut TlsConnectorBuilder) {
+    builder.request_alpns(&["postgresql"]);
+}

postgres-native-tls/src/test.rs

@@ -5,7 +5,7 @@ use tokio_postgres::tls::TlsConnect;
 
 #[cfg(feature = "runtime")]
 use crate::MakeTlsConnector;
-use crate::TlsConnector;
+use crate::{set_postgresql_alpn, TlsConnector};
 
 async fn smoke_test<T>(s: &str, tls: T)
 where
@@ -42,6 +42,21 @@ async fn require() {
     .await;
 }
 
+#[tokio::test]
+async fn direct() {
+    let mut builder = native_tls::TlsConnector::builder();
+    builder.add_root_certificate(
+        Certificate::from_pem(include_bytes!("../../test/server.crt")).unwrap(),
+    );
+    set_postgresql_alpn(&mut builder);
+    let connector = builder.build().unwrap();
+    smoke_test(
+        "user=ssl_user dbname=postgres sslmode=require sslnegotiation=direct",
+        TlsConnector::new(connector, "localhost"),
+    )
+    .await;
+}
+
 #[tokio::test]
 async fn prefer() {
     let connector = native_tls::TlsConnector::builder()

postgres-openssl/src/lib.rs

@@ -53,7 +53,7 @@ use openssl::hash::MessageDigest;
 use openssl::nid::Nid;
 #[cfg(feature = "runtime")]
 use openssl::ssl::SslConnector;
-use openssl::ssl::{self, ConnectConfiguration, SslRef};
+use openssl::ssl::{self, ConnectConfiguration, SslConnectorBuilder, SslRef};
 use openssl::x509::X509VerifyResult;
 use std::error::Error;
 use std::fmt::{self, Debug};
@@ -250,3 +250,10 @@ fn tls_server_end_point(ssl: &SslRef) -> Option<Vec<u8>> {
     };
     cert.digest(md).ok().map(|b| b.to_vec())
 }
+
+/// Set ALPN for `SslConnectorBuilder`
+///
+/// This is required when using `sslnegotiation=direct`
+pub fn set_postgresql_alpn(builder: &mut SslConnectorBuilder) -> Result<(), ErrorStack> {
+    builder.set_alpn_protos(b"\x0apostgresql")
+}

postgres-openssl/src/test.rs

@@ -37,6 +37,19 @@ async fn require() {
     .await;
 }
 
+#[tokio::test]
+async fn direct() {
+    let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
+    builder.set_ca_file("../test/server.crt").unwrap();
+    set_postgresql_alpn(&mut builder).unwrap();
+    let ctx = builder.build();
+    smoke_test(
+        "user=ssl_user dbname=postgres sslmode=require sslnegotiation=direct",
+        TlsConnector::new(ctx.configure().unwrap(), "localhost"),
+    )
+    .await;
+}
+
 #[tokio::test]
 async fn prefer() {
     let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();

postgres-protocol/Cargo.toml

@@ -10,7 +10,7 @@ readme = "../README.md"
 
 [features]
 default = []
-js = ["getrandom/js"]
+js = ["getrandom/wasm_js"]
 
 [dependencies]
 base64 = "0.22"
@@ -20,7 +20,7 @@ fallible-iterator = "0.2"
 hmac = "0.12"
 md-5 = "0.10"
 memchr = "2.0"
-rand = "0.8"
+rand = "0.9"
 sha2 = "0.10"
 stringprep = "0.1"
-getrandom = { version = "0.2", optional = true }
+getrandom = { version = "0.3", optional = true }

postgres-protocol/src/authentication/sasl.rs

@@ -136,10 +136,10 @@ impl ScramSha256 {
     /// Constructs a new instance which will use the provided password for authentication.
     pub fn new(password: &[u8], channel_binding: ChannelBinding) -> ScramSha256 {
         // rand 0.5's ThreadRng is cryptographically secure
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
         let nonce = (0..NONCE_LENGTH)
             .map(|_| {
-                let mut v = rng.gen_range(0x21u8..0x7e);
+                let mut v = rng.random_range(0x21u8..0x7e);
                 if v == 0x2c {
                     v = 0x7e
                 }

postgres-protocol/src/message/backend.rs

@@ -475,7 +475,7 @@ pub struct ColumnFormats<'a> {
     remaining: u16,
 }
 
-impl<'a> FallibleIterator for ColumnFormats<'a> {
+impl FallibleIterator for ColumnFormats<'_> {
     type Item = u16;
     type Error = io::Error;
 
@@ -557,7 +557,7 @@ pub struct DataRowRanges<'a> {
     remaining: u16,
 }
 
-impl<'a> FallibleIterator for DataRowRanges<'a> {
+impl FallibleIterator for DataRowRanges<'_> {
     type Item = Option<Range<usize>>;
     type Error = io::Error;
 
@@ -645,7 +645,7 @@ pub struct ErrorField<'a> {
     value: &'a [u8],
 }
 
-impl<'a> ErrorField<'a> {
+impl ErrorField<'_> {
     #[inline]
     pub fn type_(&self) -> u8 {
         self.type_
@@ -717,7 +717,7 @@ pub struct Parameters<'a> {
     remaining: u16,
 }
 
-impl<'a> FallibleIterator for Parameters<'a> {
+impl FallibleIterator for Parameters<'_> {
     type Item = Oid;
     type Error = io::Error;
 

postgres-protocol/src/password/mod.rs

@@ -28,7 +28,7 @@ const SCRAM_DEFAULT_SALT_LEN: usize = 16;
 /// special characters that would require escaping in an SQL command.
 pub fn scram_sha_256(password: &[u8]) -> String {
     let mut salt: [u8; SCRAM_DEFAULT_SALT_LEN] = [0; SCRAM_DEFAULT_SALT_LEN];
-    let mut rng = rand::thread_rng();
+    let mut rng = rand::rng();
     rng.fill_bytes(&mut salt);
     scram_sha_256_salt(password, salt)
 }

postgres-protocol/src/types/mod.rs

@@ -582,7 +582,7 @@ impl<'a> Array<'a> {
 /// An iterator over the dimensions of an array.
 pub struct ArrayDimensions<'a>(&'a [u8]);
 
-impl<'a> FallibleIterator for ArrayDimensions<'a> {
+impl FallibleIterator for ArrayDimensions<'_> {
     type Item = ArrayDimension;
     type Error = StdBox<dyn Error + Sync + Send>;
 
@@ -950,7 +950,7 @@ pub struct PathPoints<'a> {
     buf: &'a [u8],
 }
 
-impl<'a> FallibleIterator for PathPoints<'a> {
+impl FallibleIterator for PathPoints<'_> {
     type Item = Point;
     type Error = StdBox<dyn Error + Sync + Send>;
 

postgres-types/src/lib.rs

@@ -914,7 +914,7 @@ pub enum Format {
     Binary,
 }
 
-impl<'a, T> ToSql for &'a T
+impl<T> ToSql for &T
 where
     T: ToSql,
 {
@@ -963,7 +963,7 @@ impl<T: ToSql> ToSql for Option<T> {
     to_sql_checked!();
 }
 
-impl<'a, T: ToSql> ToSql for &'a [T] {
+impl<T: ToSql> ToSql for &[T] {
     fn to_sql(&self, ty: &Type, w: &mut BytesMut) -> Result<IsNull, Box<dyn Error + Sync + Send>> {
         let member_type = match *ty.kind() {
             Kind::Array(ref member) => member,
@@ -1004,7 +1004,7 @@ impl<'a, T: ToSql> ToSql for &'a [T] {
     to_sql_checked!();
 }
 
-impl<'a> ToSql for &'a [u8] {
+impl ToSql for &[u8] {
     fn to_sql(&self, _: &Type, w: &mut BytesMut) -> Result<IsNull, Box<dyn Error + Sync + Send>> {
         types::bytea_to_sql(self, w);
         Ok(IsNull::No)
@@ -1064,7 +1064,7 @@ impl<T: ToSql> ToSql for Box<[T]> {
     to_sql_checked!();
 }
 
-impl<'a> ToSql for Cow<'a, [u8]> {
+impl ToSql for Cow<'_, [u8]> {
     fn to_sql(&self, ty: &Type, w: &mut BytesMut) -> Result<IsNull, Box<dyn Error + Sync + Send>> {
         <&[u8] as ToSql>::to_sql(&self.as_ref(), ty, w)
     }
@@ -1088,7 +1088,7 @@ impl ToSql for Vec<u8> {
     to_sql_checked!();
 }
 
-impl<'a> ToSql for &'a str {
+impl ToSql for &str {
     fn to_sql(&self, ty: &Type, w: &mut BytesMut) -> Result<IsNull, Box<dyn Error + Sync + Send>> {
         match ty.name() {
             "ltree" => types::ltree_to_sql(self, w),
@@ -1109,7 +1109,7 @@ impl<'a> ToSql for &'a str {
     to_sql_checked!();
 }
 
-impl<'a> ToSql for Cow<'a, str> {
+impl ToSql for Cow<'_, str> {
     fn to_sql(&self, ty: &Type, w: &mut BytesMut) -> Result<IsNull, Box<dyn Error + Sync + Send>> {
         <&str as ToSql>::to_sql(&self.as_ref(), ty, w)
     }
@@ -1256,17 +1256,17 @@ impl BorrowToSql for &dyn ToSql {
     }
 }
 
-impl<'a> sealed::Sealed for Box<dyn ToSql + Sync + 'a> {}
+impl sealed::Sealed for Box<dyn ToSql + Sync + '_> {}
 
-impl<'a> BorrowToSql for Box<dyn ToSql + Sync + 'a> {
+impl BorrowToSql for Box<dyn ToSql + Sync + '_> {
     #[inline]
     fn borrow_to_sql(&self) -> &dyn ToSql {
         self.as_ref()
     }
 }
 
-impl<'a> sealed::Sealed for Box<dyn ToSql + Sync + Send + 'a> {}
-impl<'a> BorrowToSql for Box<dyn ToSql + Sync + Send + 'a> {
+impl sealed::Sealed for Box<dyn ToSql + Sync + Send + '_> {}
+impl BorrowToSql for Box<dyn ToSql + Sync + Send + '_> {
     #[inline]
     fn borrow_to_sql(&self) -> &dyn ToSql {
         self.as_ref()

postgres/src/config.rs

@@ -12,7 +12,7 @@ use std::time::Duration;
 use tokio::runtime;
 #[doc(inline)]
 pub use tokio_postgres::config::{
-    ChannelBinding, Host, LoadBalanceHosts, SslMode, TargetSessionAttrs,
+    ChannelBinding, Host, LoadBalanceHosts, SslMode, SslNegotiation, TargetSessionAttrs,
 };
 use tokio_postgres::error::DbError;
 use tokio_postgres::tls::{MakeTlsConnect, TlsConnect};
@@ -40,6 +40,9 @@ use tokio_postgres::{Error, Socket};
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
 ///     with the `connect` method.
+/// * `sslnegotiation` - TLS negotiation method. If set to `direct`, the client will perform direct TLS handshake, this only works for PostgreSQL 17 and newer.
+///     Note that you will need to setup ALPN of TLS client configuration to `postgresql` when using direct TLS.
+///     If set to `postgres`, the default value, it follows original postgres wire protocol to perform the negotiation.
 /// * `hostaddr` - Numeric IP address of host to connect to. This should be in the standard IPv4 address format,
 ///     e.g., 172.28.40.9. If your machine supports IPv6, you can also use those addresses.
 ///     If this parameter is not specified, the value of `host` will be looked up to find the corresponding IP address,
@@ -230,6 +233,17 @@ impl Config {
         self.config.get_ssl_mode()
     }
 
+    /// Sets the SSL negotiation method
+    pub fn ssl_negotiation(&mut self, ssl_negotiation: SslNegotiation) -> &mut Config {
+        self.config.ssl_negotiation(ssl_negotiation);
+        self
+    }
+
+    /// Gets the SSL negotiation method
+    pub fn get_ssl_negotiation(&self) -> SslNegotiation {
+        self.config.get_ssl_negotiation()
+    }
+
     /// Adds a host to the configuration.
     ///
     /// Multiple hosts can be specified by calling this method multiple times, and each will be tried in order. On Unix

postgres/src/notifications.rs

@@ -77,7 +77,7 @@ pub struct Iter<'a> {
     connection: ConnectionRef<'a>,
 }
 
-impl<'a> FallibleIterator for Iter<'a> {
+impl FallibleIterator for Iter<'_> {
     type Item = Notification;
     type Error = Error;
 
@@ -100,7 +100,7 @@ pub struct BlockingIter<'a> {
     connection: ConnectionRef<'a>,
 }
 
-impl<'a> FallibleIterator for BlockingIter<'a> {
+impl FallibleIterator for BlockingIter<'_> {
     type Item = Notification;
     type Error = Error;
 
@@ -129,7 +129,7 @@ pub struct TimeoutIter<'a> {
     timeout: Duration,
 }
 
-impl<'a> FallibleIterator for TimeoutIter<'a> {
+impl FallibleIterator for TimeoutIter<'_> {
     type Item = Notification;
     type Error = Error;
 

postgres/src/transaction.rs

@@ -12,7 +12,7 @@ pub struct Transaction<'a> {
     transaction: Option<tokio_postgres::Transaction<'a>>,
 }
 
-impl<'a> Drop for Transaction<'a> {
+impl Drop for Transaction<'_> {
     fn drop(&mut self) {
         if let Some(transaction) = self.transaction.take() {
             let _ = self.connection.block_on(transaction.rollback());

tokio-postgres/Cargo.toml

@@ -59,7 +59,7 @@ postgres-protocol = { version = "0.6.7", path = "../postgres-protocol" }
 postgres-types = { version = "0.2.8", path = "../postgres-types" }
 tokio = { version = "1.27", features = ["io-util"] }
 tokio-util = { version = "0.7", features = ["codec"] }
-rand = "0.8.5"
+rand = "0.9.0"
 whoami = "1.4.1"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]