WIP: add support for mssql + TLS

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.6.28
+
+- Add sqlx version information to pre-login message in mssql
+- Add support for encrypted Microsoft SQL server connections (using TLS)
+
 ## 0.6.27
 
 - Fix pg i8 decode

sqlx-core/Cargo.toml

@@ -90,7 +90,7 @@ runtime-tokio-rustls = [
 
 # for conditional compilation
 _rt-async-std = []
-_rt-tokio = ["tokio-stream"]
+_rt-tokio = ["tokio-stream", "tokio-util"]
 _tls-native-tls = []
 _tls-rustls = ["rustls", "rustls-pemfile", "webpki-roots"]
 
@@ -119,7 +119,7 @@ either = "1.6.1"
 futures-channel = { version = "0.3.19", default-features = false, features = ["sink", "alloc", "std"] }
 futures-core = { version = "0.3.19", default-features = false }
 futures-intrusive = "0.5.0"
-futures-util = { version = "0.3.19", default-features = false, features = ["alloc", "sink"] }
+futures-util = { version = "0.3.19", default-features = false, features = ["alloc", "sink", "io"] }
 # used by the SQLite worker thread to block on the async mutex that locks the database handle
 futures-executor = { version = "0.3.19", optional = true }
 flume = { version = "0.11.0", optional = true, default-features = false, features = ["async"] }
@@ -154,6 +154,7 @@ sqlformat = "0.2.0"
 thiserror = "1.0.30"
 time = { version = "0.3.2", features = ["macros", "formatting", "parsing"], optional = true }
 tokio-stream = { version = "0.1.8", features = ["fs"], optional = true }
+tokio-util = { version = "0.7.0", features = ["compat"], default-features = false, optional = true }
 smallvec = "1.7.0"
 url = { version = "2.2.2", default-features = false }
 uuid = { version = "1.0", default-features = false, optional = true, features = ["std"] }

sqlx-core/src/mssql/connection/establish.rs

@@ -18,11 +18,19 @@ impl MssqlConnection {
  // TODO: Encryption
  // TODO: Send the version of SQLx over
 
+ let encryption = match options.encrypt {
+ Some(true) => Encrypt::Required,
+ Some(false) => Encrypt::NotSupported,
+ None => Encrypt::On,
+ };
+
+ log::debug!("Sending T-SQL PRELOGIN with encryption: {:?}", encryption);
+
  stream.write_packet(
  PacketType::PreLogin,
  PreLogin {
  version: Version::default(),
- encryption: Encrypt::NOT_SUPPORTED,
+ encryption,
  instance: options.instance.clone(),
 
  ..Default::default()
@@ -32,7 +40,14 @@ impl MssqlConnection {
  stream.flush().await?;
 
  let (_, packet) = stream.recv_packet().await?;
- let _ = PreLogin::decode(packet)?;
+ let prelogin_response = PreLogin::decode(packet)?;
+
+ if matches!(
+ prelogin_response.encryption,
+ Encrypt::Required | Encrypt::On
+ ) {
+ stream.setup_encryption().await?;
+ }
 
  // LOGIN7 defines the authentication rules for use between client and server
 

sqlx-core/src/mssql/connection/mod.rs

@@ -15,6 +15,7 @@ mod establish;
 mod executor;
 mod prepare;
 mod stream;
+mod tls_prelogin_stream_wrapper;
 
 pub struct MssqlConnection {
  pub(crate) stream: MssqlStream,

sqlx-core/src/mssql/connection/stream.rs

@@ -6,6 +6,7 @@ use sqlx_rt::TcpStream;
 use crate::error::Error;
 use crate::ext::ustr::UStr;
 use crate::io::{BufStream, Encode};
+use crate::mssql::connection::tls_prelogin_stream_wrapper::TlsPreloginWrapper;
 use crate::mssql::protocol::col_meta_data::ColMetaData;
 use crate::mssql::protocol::done::{Done, Status as DoneStatus};
 use crate::mssql::protocol::env_change::EnvChange;
@@ -19,12 +20,12 @@ use crate::mssql::protocol::return_status::ReturnStatus;
 use crate::mssql::protocol::return_value::ReturnValue;
 use crate::mssql::protocol::row::Row;
 use crate::mssql::{MssqlColumn, MssqlConnectOptions, MssqlDatabaseError};
-use crate::net::MaybeTlsStream;
+use crate::net::{MaybeTlsStream, TlsConfig};
 use crate::HashMap;
 use std::sync::Arc;
 
 pub(crate) struct MssqlStream {
- inner: BufStream<MaybeTlsStream<TcpStream>>,
+ inner: BufStream<MaybeTlsStream<TlsPreloginWrapper<TcpStream>>>,
 
  // how many Done (or Error) we are currently waiting for
  pub(crate) pending_done_count: usize,
@@ -44,13 +45,15 @@ pub(crate) struct MssqlStream {
 
  // Maximum size of packets to send to the server
  pub(crate) max_packet_size: usize,
+
+ options: MssqlConnectOptions,
 }
 
 impl MssqlStream {
  pub(super) async fn connect(options: &MssqlConnectOptions) -> Result<Self, Error> {
- let inner = BufStream::new(MaybeTlsStream::Raw(
-  TcpStream::connect((&*options.host, options.port)).await?,
- ));
+ let tcp_stream = TcpStream::connect((&*options.host, options.port)).await?;
+ let wrapped_stream = TlsPreloginWrapper::new(tcp_stream);
+ let inner = BufStream::new(MaybeTlsStream::Raw(wrapped_stream));
 
  Ok(Self {
  inner,
@@ -64,6 +67,7 @@ impl MssqlStream {
  .requested_packet_size
  .try_into()
  .unwrap_or(usize::MAX),
+ options: options.clone(),
  })
  }
 
@@ -206,10 +210,25 @@ impl MssqlStream {
 
  Ok(())
  }
+
+ pub(crate) async fn setup_encryption(&mut self) -> Result<(), Error> {
+ let tls_config = TlsConfig {
+ accept_invalid_certs: true,
+ hostname: &self.options.host,
+ accept_invalid_hostnames: true,
+ root_cert_path: None,
+ client_cert_path: None,
+ client_key_path: None,
+ };
+ self.inner.deref_mut().start_handshake();
+ self.inner.upgrade(tls_config).await?;
+ self.inner.deref_mut().handshake_complete();
+ Ok(())
+ }
 }
 
 // writes the packet out to the write buffer
-fn write_packets<'en, T: Encode<'en>>(
+pub(crate) fn write_packets<'en, T: Encode<'en>>(
  buffer: &mut Vec<u8>,
  max_packet_size: usize,
  ty: PacketType,
@@ -313,7 +332,7 @@ fn test_write_packets() {
 }
 
 impl Deref for MssqlStream {
- type Target = BufStream<MaybeTlsStream<TcpStream>>;
+ type Target = BufStream<MaybeTlsStream<TlsPreloginWrapper<TcpStream>>>;
 
  fn deref(&self) -> &Self::Target {
  &self.inner

sqlx-core/src/mssql/connection/tls_prelogin_stream_wrapper.rs

@@ -0,0 +1,176 @@
+// Original implementation from tiberius: https://github.com/prisma/tiberius/blob/main/src/client/tls.rs
+
+use crate::mssql::protocol::packet::{PacketHeader, PacketType};
+
+use super::stream::write_packets;
+
+use crate::io::Decode;
+use bytes::Bytes;
+use sqlx_rt::{AsyncRead, AsyncWrite, ReadBuf};
+use std::cmp;
+use std::io;
+use std::pin::Pin;
+use std::task::{self, ready, Poll};
+
+/// This wrapper handles TDS (Tabular Data Stream) packet encapsulation during the TLS handshake phase
+/// of a connection to a Microsoft SQL Server.
+///
+/// In the PRELOGIN phase of the TDS protocol, all communication must be wrapped in TDS packets,
+/// even during TLS negotiation. This presents a challenge when using standard TLS libraries,
+/// which expect to work with raw TCP streams.
+///
+/// This wrapper solves the problem by:
+/// 1. During handshake:
+/// - For writes: It buffers outgoing data and wraps it in TDS packets before sending.
+/// Each packet starts with an 8-byte header containing type (0x12 for PRELOGIN),
+/// status flags, length, and other metadata.
+/// - For reads: It strips the TDS packet headers from incoming data before passing
+/// it to the TLS library.
+/// 2. After handshake:
+/// - It becomes transparent, directly passing through all reads and writes to the
+/// underlying stream without modification.
+///
+/// This allows us to use standard TLS libraries while still conforming to the TDS protocol
+/// requirements for the PRELOGIN phase.
+
+const HEADER_BYTES: usize = 8;
+
+pub(crate) struct TlsPreloginWrapper<S> {
+ stream: S,
+ pending_handshake: bool,
+
+ header_buf: [u8; HEADER_BYTES],
+ header_pos: usize,
+ read_remaining: usize,
+
+ wr_buf: Vec<u8>,
+ header_written: bool,
+}
+
+impl<S> TlsPreloginWrapper<S> {
+ pub fn new(stream: S) -> Self {
+ TlsPreloginWrapper {
+ stream,
+ pending_handshake: false,
+
+ header_buf: [0u8; HEADER_BYTES],
+ header_pos: 0,
+ read_remaining: 0,
+ wr_buf: Vec::new(),
+ header_written: false,
+ }
+ }
+
+ pub fn start_handshake(&mut self) {
+ self.pending_handshake = true;
+ }
+
+ pub fn handshake_complete(&mut self) {
+ self.pending_handshake = false;
+ }
+}
+
+impl<S: AsyncRead + AsyncWrite + Unpin + Send> AsyncRead for TlsPreloginWrapper<S> {
+ fn poll_read(
+ mut self: Pin<&mut Self>,
+ cx: &mut task::Context<'_>,
+ buf: &mut ReadBuf<'_>,
+ ) -> Poll<io::Result<()>> {
+ if !self.pending_handshake {
+ return Pin::new(&mut self.stream).poll_read(cx, buf);
+ }
+
+ let inner = self.get_mut();
+
+ if !inner.header_buf[inner.header_pos..].is_empty() {
+ while !inner.header_buf[inner.header_pos..].is_empty() {
+ let mut header_buf = ReadBuf::new(&mut inner.header_buf[inner.header_pos..]);
+ ready!(Pin::new(&mut inner.stream).poll_read(cx, &mut header_buf))?;
+
+ let read = header_buf.filled().len();
+ if read == 0 {
+ return Poll::Ready(Ok(()));
+ }
+
+ inner.header_pos += read;
+ }
+
+ let header: PacketHeader = Decode::decode(Bytes::copy_from_slice(&inner.header_buf))
+ .map_err(|err| io::Error::new(io::ErrorKind::Other, err))?;
+
+ inner.read_remaining = usize::from(header.length) - HEADER_BYTES;
+
+ log::trace!(
+ "Discarding header ({:?}), reading packet of {} bytes",
+ header,
+ inner.read_remaining,
+ );
+ }
+
+ let max_read = std::cmp::min(inner.read_remaining, buf.remaining());
+ let mut limited_buf = buf.take(max_read);
+
+ ready!(Pin::new(&mut inner.stream).poll_read(cx, &mut limited_buf))?;
+
+ let read = limited_buf.filled().len();
+ buf.advance(read);
+ inner.read_remaining -= read;
+
+ if inner.read_remaining == 0 {
+ inner.header_pos = 0;
+ }
+
+ Poll::Ready(Ok(()))
+ }
+}
+
+impl<S: AsyncRead + AsyncWrite + Unpin + Send> AsyncWrite for TlsPreloginWrapper<S> {
+ fn poll_write(
+ mut self: Pin<&mut Self>,
+ cx: &mut task::Context<'_>,
+ buf: &[u8],
+ ) -> Poll<io::Result<usize>> {
+ // Normal operation does not need any extra treatment, we handle
+ // packets in the codec.
+ if !self.pending_handshake {
+ return Pin::new(&mut self.stream).poll_write(cx, buf);
+ }
+
+ // Buffering data.
+ self.wr_buf.extend_from_slice(buf);
+
+ Poll::Ready(Ok(buf.len()))
+ }
+
+ fn poll_flush(self: Pin<&mut Self>, cx: &mut task::Context<'_>) -> Poll<io::Result<()>> {
+ let inner = self.get_mut();
+
+ // If on handshake mode, wraps the data to a TDS packet before sending.
+ if inner.pending_handshake {
+ if !inner.header_written {
+ let buf = std::mem::take(&mut inner.wr_buf);
+ write_packets(
+ &mut inner.wr_buf,
+ 4096,
+ PacketType::PreLogin,
+ buf.as_slice(),
+ );
+ inner.header_written = true;
+ }
+
+ while !inner.wr_buf.is_empty() {
+ let written = ready!(Pin::new(&mut inner.stream).poll_write(cx, &inner.wr_buf))?;
+
+ inner.wr_buf.drain(..written);
+ }
+
+ inner.header_written = false;
+ }
+
+ Pin::new(&mut inner.stream).poll_flush(cx)
+ }
+
+ fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut task::Context<'_>) -> Poll<io::Result<()>> {
+ Pin::new(&mut self.stream).poll_shutdown(cx)
+ }
+}