Remove tls-unique from blocking postgres crate

Author: sfackler

postgres-openssl/src/lib.rs

@@ -2,7 +2,9 @@ pub extern crate openssl;
 extern crate postgres;
 
 use openssl::error::ErrorStack;
-use openssl::ssl::{ConnectConfiguration, SslConnector, SslMethod, SslRef, SslStream};
+use openssl::hash::MessageDigest;
+use openssl::nid::Nid;
+use openssl::ssl::{ConnectConfiguration, SslConnector, SslMethod, SslStream};
 use postgres::tls::{Stream, TlsHandshake, TlsStream};
 use std::error::Error;
 use std::fmt;
@@ -85,16 +87,14 @@ impl TlsStream for OpenSslStream {
         self.0.get_mut()
     }
 
-    fn tls_unique(&self) -> Option<Vec<u8>> {
-        let f = if self.0.ssl().session_reused() {
-            SslRef::peer_finished
-        } else {
-            SslRef::finished
+    fn tls_server_end_point(&self) -> Option<Vec<u8>> {
+        let cert = self.0.ssl().peer_certificate()?;
+        let algo_nid = cert.signature_algorithm().object().nid();
+        let signature_algorithms = algo_nid.signature_algorithms()?;
+        let md = match signature_algorithms.digest {
+            Nid::MD5 | Nid::SHA1 => MessageDigest::sha256(),
+            nid => MessageDigest::from_nid(nid)?,
         };
-
-        let len = f(self.0.ssl(), &mut []);
-        let mut buf = vec![0; len];
-        f(self.0.ssl(), &mut buf);
-        Some(buf)
+        cert.digest(md).ok().map(|b| b.to_vec())
     }
 }

postgres-protocol/src/authentication/sasl.rs

@@ -59,7 +59,6 @@ fn hi(str: &[u8], salt: &[u8], i: u32) -> GenericArray<u8, U32> {
 enum ChannelBindingInner {
     Unrequested,
     Unsupported,
-    TlsUnique(Vec<u8>),
     TlsServerEndPoint(Vec<u8>),
 }
 
@@ -77,11 +76,6 @@ impl ChannelBinding {
         ChannelBinding(ChannelBindingInner::Unsupported)
     }
 
-    /// The server requested channel binding and the client will use the `tls-unique` method.
-    pub fn tls_unique(finished: Vec<u8>) -> ChannelBinding {
-        ChannelBinding(ChannelBindingInner::TlsUnique(finished))
-    }
-
     /// The server requested channel binding and the client will use the `tls-server-end-point`
     /// method.
     pub fn tls_server_end_point(signature: Vec<u8>) -> ChannelBinding {
@@ -92,16 +86,14 @@ impl ChannelBinding {
         match self.0 {
             ChannelBindingInner::Unrequested => "y,,",
             ChannelBindingInner::Unsupported => "n,,",
-            ChannelBindingInner::TlsUnique(_) => "p=tls-unique,,",
             ChannelBindingInner::TlsServerEndPoint(_) => "p=tls-server-end-point,,",
         }
     }
 
     fn cbind_data(&self) -> &[u8] {
         match self.0 {
             ChannelBindingInner::Unrequested | ChannelBindingInner::Unsupported => &[],
-            ChannelBindingInner::TlsUnique(ref buf)
-            | ChannelBindingInner::TlsServerEndPoint(ref buf) => buf,
+            ChannelBindingInner::TlsServerEndPoint(ref buf) => buf,
         }
     }
 }

postgres/src/lib.rs

@@ -435,14 +435,8 @@ impl InnerConnection {
                 let channel_binding = self
                     .stream
                     .get_ref()
-                    .tls_unique()
-                    .map(ChannelBinding::tls_unique)
-                    .or_else(|| {
-                        self.stream
-                            .get_ref()
-                            .tls_server_end_point()
-                            .map(ChannelBinding::tls_server_end_point)
-                    });
+                    .tls_server_end_point()
+                    .map(ChannelBinding::tls_server_end_point);
 
                 let (channel_binding, mechanism) = if has_scram_plus {
                     match channel_binding {

postgres/src/tls.rs

@@ -13,16 +13,6 @@ pub trait TlsStream: fmt::Debug + Read + Write + Send {
     /// Returns a mutable reference to the underlying `Stream`.
     fn get_mut(&mut self) -> &mut Stream;
 
-    /// Returns the data associated with the `tls-unique` channel binding type as described in
-    /// [RFC 5929], if supported.
-    ///
-    /// An implementation only needs to support one of this or `tls_server_end_point`.
-    ///
-    /// [RFC 5929]: https://tools.ietf.org/html/rfc5929
-    fn tls_unique(&self) -> Option<Vec<u8>> {
-        None
-    }
-
     /// Returns the data associated with the `tls-server-end-point` channel binding type as
     /// described in [RFC 5929], if supported.
     ///