openssl: add from_tls_config constructor

uce · uce · commit 0a828636fd2d · 2021-05-18T12:40:37.000+02:00
Adds a convenience constructor that creates a `MakeTlsConnector` that matches the semantics of Postgres clients. Check out https://www.postgresql.org/docs/current/libpq-ssl.html for more details on the expected behavior.
diff --git a/postgres-openssl/src/lib.rs b/postgres-openssl/src/lib.rs
@@ -43,30 +43,41 @@
 
 #[cfg(feature = "runtime")]
 use openssl::error::ErrorStack;
-use openssl::hash::MessageDigest;
-use openssl::nid::Nid;
 #[cfg(feature = "runtime")]
 use openssl::ssl::SslConnector;
-use openssl::ssl::{self, ConnectConfiguration, SslRef};
+use openssl::ssl::{self, ConnectConfiguration, SslFiletype, SslRef};
 use openssl::x509::X509VerifyResult;
-use std::error::Error;
+use openssl::{hash::MessageDigest, ssl::SslMethod};
+use openssl::{nid::Nid, ssl::SslVerifyMode};
 use std::fmt::{self, Debug};
 use std::future::Future;
 use std::io;
 use std::pin::Pin;
 #[cfg(feature = "runtime")]
 use std::sync::Arc;
 use std::task::{Context, Poll};
+use std::{error::Error, path::PathBuf};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tokio_openssl::SslStream;
-use tokio_postgres::tls;
 #[cfg(feature = "runtime")]
 use tokio_postgres::tls::MakeTlsConnect;
 use tokio_postgres::tls::{ChannelBinding, TlsConnect};
+use tokio_postgres::{config::SslMode, tls};
 
 #[cfg(test)]
 mod test;
 
+/// TLS configuration.
+#[cfg(feature = "runtime")]
+pub struct TlsConfig {
+    /// SSL mode (`sslmode`).
+    pub mode: SslMode,
+    /// Location of the client cert and key (`sslcert`, `sslkey`).
+    pub client_cert: Option<(PathBuf, PathBuf)>,
+    /// Location of the root certificate (`sslrootcert`).
+    pub root_cert: Option<PathBuf>,
+}
+
 /// A `MakeTlsConnect` implementation using the `openssl` crate.
 ///
 /// Requires the `runtime` Cargo feature (enabled by default).
@@ -87,6 +98,59 @@ impl MakeTlsConnector {
         }
     }
 
+    /// Creates a new connector from the provided [`TlsConfig`].
+    ///
+    /// The returned [`MakeTlsConnector`] will be configured to mimick libpq-ssl behavior.
+    pub fn from_tls_config(tls_config: TlsConfig) -> Result<MakeTlsConnector, ErrorStack> {
+        let mut builder = SslConnector::builder(SslMethod::tls_client())?;
+        // The mode dictates whether we verify peer certs and hostnames. By default, Postgres is
+        // pretty relaxed and recommends SslMode::VerifyCa or SslMode::VerifyFull for security.
+        //
+        // For more details, check out Table 33.1. SSL Mode Descriptions in
+        // https://postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION.
+        let (verify_mode, verify_hostname) = match tls_config.mode {
+            SslMode::Disable | SslMode::Prefer => (SslVerifyMode::NONE, false),
+            SslMode::Require => match tls_config.root_cert {
+                // If a root CA file exists, the behavior of sslmode=require will be the same as
+                // that of verify-ca, meaning the server certificate is validated against the CA.
+                //
+                // For more details, check out the note about backwards compatibility in
+                // https://postgresql.org/docs/current/libpq-ssl.html#LIBQ-SSL-CERTIFICATES.
+                Some(_) => (SslVerifyMode::PEER, false),
+                None => (SslVerifyMode::NONE, false),
+            },
+            SslMode::VerifyCa => (SslVerifyMode::PEER, false),
+            SslMode::VerifyFull => (SslVerifyMode::PEER, true),
+            _ => panic!("unexpected sslmode {:?}", tls_config.mode),
+        };
+
+        // Configure peer verification
+        builder.set_verify(verify_mode);
+
+        // Configure certificates
+        if tls_config.client_cert.is_some() {
+            let (cert, key) = tls_config.client_cert.unwrap();
+            builder.set_certificate_file(cert, SslFiletype::PEM)?;
+            builder.set_private_key_file(key, SslFiletype::PEM)?;
+        }
+        if tls_config.root_cert.is_some() {
+            builder.set_ca_file(tls_config.root_cert.unwrap())?;
+        }
+
+        let mut tls_connector = MakeTlsConnector::new(builder.build());
+
+        // Configure hostname verification
+        match (verify_mode, verify_hostname) {
+            (SslVerifyMode::PEER, false) => tls_connector.set_callback(|connect, _| {
+                connect.set_verify_hostname(false);
+                Ok(())
+            }),
+            _ => {}
+        }
+
+        Ok(tls_connector)
+    }
+
     /// Sets a callback used to apply per-connection configuration.
     ///
     /// The the callback is provided the domain name along with the `ConnectConfiguration`.
diff --git a/postgres-openssl/src/test.rs b/postgres-openssl/src/test.rs
@@ -25,6 +25,15 @@ where
     assert_eq!(rows[0].get::<_, i32>(0), 1);
 }
 
+async fn from_tls_config_smoke_test(config: TlsConfig) {
+    let mut connector = MakeTlsConnector::from_tls_config(config).unwrap();
+    smoke_test(
+        "user=ssl_user dbname=postgres",
+        MakeTlsConnect::<TcpStream>::make_tls_connect(&mut connector, "localhost").unwrap(),
+    )
+    .await
+}
+
 #[tokio::test]
 async fn require() {
     let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
@@ -109,3 +118,97 @@ async fn runtime() {
     assert_eq!(rows.len(), 1);
     assert_eq!(rows[0].get::<_, i32>(0), 1);
 }
+
+#[tokio::test]
+async fn from_tls_config_base() {
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::Disable,
+        client_cert: None,
+        root_cert: None,
+    })
+    .await;
+
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::Prefer,
+        client_cert: None,
+        root_cert: None,
+    })
+    .await;
+
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::Require,
+        client_cert: None,
+        root_cert: None,
+    })
+    .await;
+
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::Require,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/server.crt")),
+    })
+    .await;
+
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::VerifyCa,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/server.crt")),
+    })
+    .await;
+
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::VerifyFull,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/server.crt")),
+    })
+    .await;
+}
+
+#[tokio::test]
+#[should_panic(expected = "certificate verify failed")]
+async fn from_tls_config_require_with_wrong_root_cert_err() {
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::Require,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/other.crt")),
+    })
+    .await;
+}
+
+#[tokio::test]
+#[should_panic(expected = "certificate verify failed")]
+async fn from_tls_config_verify_ca_with_wrong_root_cert_err() {
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::VerifyCa,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/other.crt")),
+    })
+    .await;
+}
+
+#[tokio::test]
+#[should_panic(expected = "certificate verify failed")]
+async fn from_tls_config_verify_full_with_wrong_root_cert_err() {
+    from_tls_config_smoke_test(TlsConfig {
+        mode: SslMode::VerifyFull,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/other.crt")),
+    })
+    .await;
+}
+
+#[tokio::test]
+#[should_panic(expected = "Hostname mismatch")]
+async fn from_tls_config_verify_full_with_wrong_hostname_err() {
+    let tls_config = TlsConfig {
+        mode: SslMode::VerifyFull,
+        client_cert: None,
+        root_cert: Some(PathBuf::from("../test/server.crt")),
+    };
+    let mut connector = MakeTlsConnector::from_tls_config(tls_config).unwrap();
+    smoke_test(
+        "user=ssl_user dbname=postgres",
+        MakeTlsConnect::<TcpStream>::make_tls_connect(&mut connector, "otherhost").unwrap(),
+    )
+    .await
+}
diff --git a/test/other.crt b/test/other.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIJAMpak9jpV15CMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
+BAMMBHJvb3QwHhcNMjEwNTEyMDg1NDEyWhcNMzEwNTEwMDg1NDEyWjAPMQ0wCwYD
+VQQDDARyb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyuPNlaHj
+ssg2sQQ0CmbMl9KocZufjAmXdW7GCDvwXGRFSw+HPwKbcOPmmI96/JEO0jf9lExh
+pLoMJsi6IuwL1IpXOkwLmZbiNMaJxC7SbQ/J6f3EdVfdKA15YfgCjHZBVomK+nSy
+S0AERKypPNO+tv23wtpM7YmUw8O0e08Aqi7PLENyT4McBF6sSSV94OP+o4GOQ2rT
+TMM+lrze1t+YQjhwOFjF3sKTrmE9J9F5R5/eN1syPlS2xLyN+bmWaByK64myNfh3
+fRcjpiVfhkbePkuitJBo5MfUHgn90q2Y1OtP/7UhsJX5XUgmRFY1iGiIMkB2jmEr
+6Ugy8rFuYMuIkwIDAQABo3MwcTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTL
+5f6++2fV0v/Y3WJYo4zkEbv7DzA/BgNVHSMEODA2gBTL5f6++2fV0v/Y3WJYo4zk
+Ebv7D6ETpBEwDzENMAsGA1UEAwwEcm9vdIIJAMpak9jpV15CMA0GCSqGSIb3DQEB
+BQUAA4IBAQAmOb/aXndz63uk6eSrwkwwM4oAeie333kosG3Bpzo5/EdNEvsZRLs9
+xhZRYCoyW/pBOcPs7FAI90G/1OuhoQk8MkvjS5MukZmcNj2Yrew6/1WedfHwwIYV
+q9Wt6WaXRNu/pMn2IHrNrBaC1utmHIF5Yj2njVDIUGWbe3xBUl90dxHtt11830fc
+N6rqSZiBRMwK8Il2z31VPCCbURX/9BI1TUfgZbOyvEDA43QEUTIDfxTbkZKUC7KF
+7ClcHl7Py4kqlPkpkyWKBrnokMNRDKGlSDDYy1+hDO/xObx2U6Z1x/ksv/+G05fI
+hfrnzZaanvotLMZf2Fut1Ee5BjsnZE3Y
+-----END CERTIFICATE-----
