MAL-359 Add RPK support to tokio-boring

Assertions were added to the methods that can't be used in RPK mode. Without those we would hit assertions in BoringSSL code which causes SIGTERM on FFI boundary.
nox · Apr 28, 2021 · 7f2cdcd · 7f2cdcd
1 parent 54375d1
commit 7f2cdcd
Show file tree

Hide file tree

Showing 5 changed files with 282 additions and 28 deletions.
diff --git a/boring/src/ssl/connector.rs b/boring/src/ssl/connector.rs
@@ -20,9 +20,17 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
 ";
 
+enum ContextType {
+    WithMethod(SslMethod),
+    Rpk,
+}
+
 #[allow(clippy::inconsistent_digit_grouping)]
-fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
-    let mut ctx = SslContextBuilder::new(method)?;
+fn ctx(ty: ContextType) -> Result<SslContextBuilder, ErrorStack> {
+    let mut ctx = match ty {
+        ContextType::WithMethod(method) => SslContextBuilder::new(method),
+        ContextType::Rpk => SslContextBuilder::new_rpk(),
+    }?;
 
     let mut opts = SslOptions::ALL
         | SslOptions::NO_COMPRESSION
@@ -64,7 +72,7 @@ impl SslConnector {
     ///
     /// The default configuration is subject to change, and is currently derived from Python.
     pub fn builder(method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> {
-        let mut ctx = ctx(method)?;
+        let mut ctx = ctx(ContextType::WithMethod(method))?;
         ctx.set_default_verify_paths()?;
         ctx.set_cipher_list(
             "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
@@ -74,6 +82,16 @@ impl SslConnector {
         Ok(SslConnectorBuilder(ctx))
     }
 
+    /// Creates a new builder for TLS connections with raw public key.
+    pub fn rpk_builder() -> Result<SslConnectorBuilder, ErrorStack> {
+        let mut ctx = ctx(ContextType::Rpk)?;
+        ctx.set_cipher_list(
+            "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
+        )?;
+
+        Ok(SslConnectorBuilder(ctx))
+    }
+
     /// Initiates a client-side TLS session on a stream.
     ///
     /// The domain is used for SNI and hostname verification.
@@ -179,7 +197,7 @@ impl ConnectConfiguration {
             self.ssl.set_hostname(domain)?;
         }
 
-        if self.verify_hostname {
+        if !self.ssl.ssl_context().is_rpk() && self.verify_hostname {
             setup_verify_hostname(&mut self.ssl, domain)?;
         }
 
@@ -209,6 +227,19 @@ impl DerefMut for ConnectConfiguration {
 pub struct SslAcceptor(SslContext);
 
 impl SslAcceptor {
+    pub fn rpk() -> Result<SslAcceptorBuilder, ErrorStack> {
+        let mut ctx = ctx(ContextType::Rpk)?;
+        ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1);
+        let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
+        ctx.set_tmp_dh(&dh)?;
+        ctx.set_cipher_list(
+            "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
+             ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
+             DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+        )?;
+        Ok(SslAcceptorBuilder(ctx))
+    }
+
     /// Creates a new builder configured to connect to non-legacy clients. This should generally be
     /// considered a reasonable default choice.
     ///
@@ -217,7 +248,7 @@ impl SslAcceptor {
     ///
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     pub fn mozilla_intermediate_v5(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
-        let mut ctx = ctx(method)?;
+        let mut ctx = ctx(ContextType::WithMethod(method))?;
         ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1);
         let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
         ctx.set_tmp_dh(&dh)?;
@@ -238,7 +269,7 @@ impl SslAcceptor {
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     // FIXME remove in next major version
     pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
-        let mut ctx = ctx(method)?;
+        let mut ctx = ctx(ContextType::WithMethod(method))?;
         ctx.set_options(SslOptions::CIPHER_SERVER_PREFERENCE);
         ctx.set_options(SslOptions::NO_TLSV1_3);
         let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
@@ -264,7 +295,7 @@ impl SslAcceptor {
     /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS
     // FIXME remove in next major version
     pub fn mozilla_modern(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
-        let mut ctx = ctx(method)?;
+        let mut ctx = ctx(ContextType::WithMethod(method))?;
         ctx.set_options(
             SslOptions::CIPHER_SERVER_PREFERENCE | SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1,
         );