Remove tls-unique channel binding

This got axed in the stable PostgreSQL 11 stable release.
2018-11-28 20:09:04 -08:00 · 2018-11-28 20:09:04 -08:00 · 39e2723ccb
commit 39e2723ccb
parent a24b927bbb
3 changed files with 19 additions and 23 deletions
--- a/tokio-postgres-openssl/src/lib.rs
+++ b/tokio-postgres-openssl/src/lib.rs
@ -10,6 +10,8 @@ extern crate futures;
 extern crate tokio;

 use futures::{Async, Future, Poll};
+use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
 use openssl::ssl::{ConnectConfiguration, HandshakeError, SslRef};
 use std::fmt::Debug;
 use tokio_io::{AsyncRead, AsyncWrite};
@ -58,19 +60,22 @@ where
    fn poll(&mut self) -> Poll<(SslStream<S>, ChannelBinding), HandshakeError<S>> {
        let stream = try_ready!(self.0.poll());

-        let f = if stream.get_ref().ssl().session_reused() {
-            SslRef::peer_finished
-        } else {
-            SslRef::finished
-        };
+        let mut channel_binding = ChannelBinding::new();
+        if let Some(buf) = tls_server_end_point(stream.get_ref().ssl()) {
+            channel_binding = channel_binding.tls_server_end_point(buf);
+        }

-        let len = f(stream.get_ref().ssl(), &mut []);
-        let mut tls_unique = vec![0; len];
-        f(stream.get_ref().ssl(), &mut tls_unique);
-
-        Ok(Async::Ready((
-            stream,
-            ChannelBinding::new().tls_unique(tls_unique),
-        )))
+        Ok(Async::Ready((stream, channel_binding)))
    }
 }
+
+fn tls_server_end_point(ssl: &SslRef) -> Option<Vec<u8>> {
+    let cert = ssl.peer_certificate()?;
+    let algo_nid = cert.signature_algorithm().object().nid();
+    let signature_algorithms = algo_nid.signature_algorithms()?;
+    let md = match signature_algorithms.digest {
+        Nid::MD5 | Nid::SHA1 => MessageDigest::sha256(),
+        nid => MessageDigest::from_nid(nid)?,
+    };
+    cert.digest(md).ok().map(|b| b.to_vec())
+}
--- a/tokio-postgres/src/proto/connect.rs
+++ b/tokio-postgres/src/proto/connect.rs
@ -156,9 +156,7 @@ where
                    }
                }

-                let channel_binding = if let Some(tls_unique) = state.channel_binding.tls_unique {
-                    Some(sasl::ChannelBinding::tls_unique(tls_unique))
-                } else if let Some(tls_server_end_point) =
+                let channel_binding = if let Some(tls_server_end_point) =
                    state.channel_binding.tls_server_end_point
                {
                    Some(sasl::ChannelBinding::tls_server_end_point(
--- a/tokio-postgres/src/tls.rs
+++ b/tokio-postgres/src/tls.rs
@ -9,14 +9,12 @@ use void::Void;

 pub struct ChannelBinding {
    pub(crate) tls_server_end_point: Option<Vec<u8>>,
-    pub(crate) tls_unique: Option<Vec<u8>>,
 }

 impl ChannelBinding {
    pub fn new() -> ChannelBinding {
        ChannelBinding {
            tls_server_end_point: None,
-            tls_unique: None,
        }
    }

@ -24,11 +22,6 @@ impl ChannelBinding {
        self.tls_server_end_point = Some(tls_server_end_point);
        self
    }
-
-    pub fn tls_unique(mut self, tls_unique: Vec<u8>) -> ChannelBinding {
-        self.tls_unique = Some(tls_unique);
-        self
-    }
 }

 pub trait TlsMode<S> {