feat: unsafe option to disable tls hostname verification

kezhuw · kezhuw · commit 546a6deb1632 · 2024-03-24T18:15:46.000+08:00
Closes #27.
diff --git a/src/client/mod.rs b/src/client/mod.rs
@@ -9,8 +9,6 @@ use std::time::Duration;
 use const_format::formatcp;
 use either::{Either, Left, Right};
 use ignore_result::Ignore;
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
-use rustls::{ClientConfig, RootCertStore};
 use thiserror::Error;
 use tokio::sync::{mpsc, watch};
 
@@ -46,9 +44,10 @@ pub use crate::proto::{EnsembleUpdate, Stat};
 use crate::record::{self, Record, StaticRecord};
 use crate::session::StateReceiver;
 pub use crate::session::{EventType, SessionId, SessionState, WatchedEvent};
+use crate::tls::TlsOptions;
 use crate::util::{self, Ref as _};
 
-type Result<T> = std::result::Result<T, Error>;
+pub(crate) type Result<T, E = Error> = std::result::Result<T, E>;
 
 /// CreateMode specifies ZooKeeper znode type. It covers all znode types with help from
 /// [CreateOptions::with_ttl].
@@ -1533,85 +1532,6 @@ impl Drop for OwnedLockClient {
 #[derive(Copy, Clone, Debug, PartialEq, PartialOrd)]
 pub(crate) struct Version(u32, u32, u32);
 
-/// Options for tls connection.
-#[derive(Debug)]
-pub struct TlsOptions {
-    identity: Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>,
-    ca_certs: RootCertStore,
-}
-
-impl Clone for TlsOptions {
-    fn clone(&self) -> Self {
-        Self {
-            identity: self.identity.as_ref().map(|id| (id.0.clone(), id.1.clone_key())),
-            ca_certs: self.ca_certs.clone(),
-        }
-    }
-}
-
-impl Default for TlsOptions {
-    /// Tls options with well-known ca roots.
-    fn default() -> Self {
-        let mut options = Self::no_ca();
-        options.ca_certs.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        options
-    }
-}
-
-impl TlsOptions {
-    /// Tls options with no ca certificates. Use [TlsOptions::default] if well-known ca roots is
-    /// desirable.
-    pub fn no_ca() -> Self {
-        Self { ca_certs: RootCertStore::empty(), identity: None }
-    }
-
-    /// Adds new ca certificates.
-    pub fn with_pem_ca_certs(mut self, certs: &str) -> Result<Self> {
-        for r in rustls_pemfile::certs(&mut certs.as_bytes()) {
-            let cert = match r {
-                Ok(cert) => cert,
-                Err(err) => return Err(Error::other(format!("fail to read cert {}", err), err)),
-            };
-            if let Err(err) = self.ca_certs.add(cert) {
-                return Err(Error::other(format!("fail to add cert {}", err), err));
-            }
-        }
-        Ok(self)
-    }
-
-    /// Specifies client identity for server to authenticate.
-    pub fn with_pem_identity(mut self, cert: &str, key: &str) -> Result<Self> {
-        let r: std::result::Result<Vec<_>, _> = rustls_pemfile::certs(&mut cert.as_bytes()).collect();
-        let certs = match r {
-            Err(err) => return Err(Error::other(format!("fail to read cert {}", err), err)),
-            Ok(certs) => certs,
-        };
-        let key = match rustls_pemfile::private_key(&mut key.as_bytes()) {
-            Err(err) => return Err(Error::other(format!("fail to read client private key {err}"), err)),
-            Ok(None) => return Err(Error::BadArguments(&"no client private key")),
-            Ok(Some(key)) => key,
-        };
-        self.identity = Some((certs, key));
-        Ok(self)
-    }
-
-    fn take_roots(&mut self) -> RootCertStore {
-        std::mem::replace(&mut self.ca_certs, RootCertStore::empty())
-    }
-
-    fn into_config(mut self) -> Result<ClientConfig> {
-        let builder = ClientConfig::builder().with_root_certificates(self.take_roots());
-        if let Some((client_cert, client_key)) = self.identity.take() {
-            match builder.with_client_auth_cert(client_cert, client_key) {
-                Ok(config) => Ok(config),
-                Err(err) => Err(Error::other(format!("invalid client private key {err}"), err)),
-            }
-        } else {
-            Ok(builder.with_no_client_auth())
-        }
-    }
-}
-
 /// A builder for [Client].
 #[derive(Clone, Debug)]
 pub struct Connector {
diff --git a/src/lib.rs b/src/lib.rs
@@ -5,8 +5,10 @@ mod error;
 mod proto;
 mod record;
 mod session;
+mod tls;
 mod util;
 
 pub use self::acl::{Acl, Acls, AuthId, AuthUser, Permission};
 pub use self::error::Error;
+pub use self::tls::TlsOptions;
 pub use crate::client::*;
diff --git a/src/tls.rs b/src/tls.rs
@@ -0,0 +1,172 @@
+use std::sync::Arc;
+
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use rustls::crypto::{CryptoProvider, WebPkiSupportedAlgorithms};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime};
+use rustls::server::ParsedCertificate;
+use rustls::{ClientConfig, DigitallySignedStruct, Error as TlsError, RootCertStore, SignatureScheme};
+
+use crate::client::Result;
+use crate::Error;
+
+/// Options for tls connection.
+#[derive(Debug)]
+pub struct TlsOptions {
+    identity: Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>,
+    ca_certs: RootCertStore,
+    hostname_verification: bool,
+}
+
+impl Clone for TlsOptions {
+    fn clone(&self) -> Self {
+        Self {
+            identity: self.identity.as_ref().map(|id| (id.0.clone(), id.1.clone_key())),
+            ca_certs: self.ca_certs.clone(),
+            hostname_verification: self.hostname_verification,
+        }
+    }
+}
+
+impl Default for TlsOptions {
+    /// Tls options with well-known ca roots.
+    fn default() -> Self {
+        let mut options = Self::no_ca();
+        options.ca_certs.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+        options
+    }
+}
+
+// Rustls tends to make disable of hostname verification verbose since it exposes man-in-the-middle
+// attacks. Though, there are still attempts to disable hostname verification in rustls, but no got
+// merged until now.
+// * Allow disabling Hostname Verification: https://github.com/rustls/rustls/issues/578
+// * Dangerous verifiers API proposal: https://github.com/rustls/rustls/pull/1197
+#[derive(Debug)]
+struct TlsServerCertVerifier {
+    roots: RootCertStore,
+    supported: WebPkiSupportedAlgorithms,
+    hostname_verification: bool,
+}
+
+impl TlsServerCertVerifier {
+    fn new(roots: RootCertStore, hostname_verification: bool) -> Self {
+        Self {
+            roots,
+            supported: CryptoProvider::get_default().unwrap().signature_verification_algorithms,
+            hostname_verification,
+        }
+    }
+}
+
+impl ServerCertVerifier for TlsServerCertVerifier {
+    fn verify_server_cert(
+        &self,
+        end_entity: &CertificateDer<'_>,
+        intermediates: &[CertificateDer<'_>],
+        server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        now: UnixTime,
+    ) -> Result<ServerCertVerified, TlsError> {
+        let cert = ParsedCertificate::try_from(end_entity)?;
+        rustls::client::verify_server_cert_signed_by_trust_anchor(
+            &cert,
+            &self.roots,
+            intermediates,
+            now,
+            self.supported.all,
+        )?;
+
+        if self.hostname_verification {
+            rustls::client::verify_server_name(&cert, server_name)?;
+        }
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, TlsError> {
+        rustls::crypto::verify_tls12_signature(message, cert, dss, &self.supported)
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, TlsError> {
+        rustls::crypto::verify_tls12_signature(message, cert, dss, &self.supported)
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        self.supported.supported_schemes()
+    }
+}
+
+impl TlsOptions {
+    /// Tls options with no ca certificates. Use [TlsOptions::default] if well-known ca roots is
+    /// desirable.
+    pub fn no_ca() -> Self {
+        Self { ca_certs: RootCertStore::empty(), identity: None, hostname_verification: true }
+    }
+
+    /// Disables hostname verification in tls handshake.
+    ///
+    /// # Safety
+    /// This exposes risk to man-in-the-middle attacks.
+    pub unsafe fn with_no_hostname_verification(mut self) -> Self {
+        self.hostname_verification = false;
+        self
+    }
+
+    /// Adds new ca certificates.
+    pub fn with_pem_ca_certs(mut self, certs: &str) -> Result<Self> {
+        for r in rustls_pemfile::certs(&mut certs.as_bytes()) {
+            let cert = match r {
+                Ok(cert) => cert,
+                Err(err) => return Err(Error::other(format!("fail to read cert {}", err), err)),
+            };
+            if let Err(err) = self.ca_certs.add(cert) {
+                return Err(Error::other(format!("fail to add cert {}", err), err));
+            }
+        }
+        Ok(self)
+    }
+
+    /// Specifies client identity for server to authenticate.
+    pub fn with_pem_identity(mut self, cert: &str, key: &str) -> Result<Self> {
+        let r: std::result::Result<Vec<_>, _> = rustls_pemfile::certs(&mut cert.as_bytes()).collect();
+        let certs = match r {
+            Err(err) => return Err(Error::other(format!("fail to read cert {}", err), err)),
+            Ok(certs) => certs,
+        };
+        let key = match rustls_pemfile::private_key(&mut key.as_bytes()) {
+            Err(err) => return Err(Error::other(format!("fail to read client private key {err}"), err)),
+            Ok(None) => return Err(Error::BadArguments(&"no client private key")),
+            Ok(Some(key)) => key,
+        };
+        self.identity = Some((certs, key));
+        Ok(self)
+    }
+
+    fn take_roots(&mut self) -> RootCertStore {
+        std::mem::replace(&mut self.ca_certs, RootCertStore::empty())
+    }
+
+    pub(crate) fn into_config(mut self) -> Result<ClientConfig> {
+        // This has to be called before server cert verifier to install default crypto provider.
+        let builder = ClientConfig::builder();
+        let verifier = TlsServerCertVerifier::new(self.take_roots(), self.hostname_verification);
+        let builder = builder.dangerous().with_custom_certificate_verifier(Arc::new(verifier));
+        if let Some((client_cert, client_key)) = self.identity.take() {
+            match builder.with_client_auth_cert(client_cert, client_key) {
+                Ok(config) => Ok(config),
+                Err(err) => Err(Error::other(format!("invalid client private key {err}"), err)),
+            }
+        } else {
+            Ok(builder.with_no_client_auth())
+        }
+    }
+}
diff --git a/tests/zookeeper.rs b/tests/zookeeper.rs
@@ -22,6 +22,14 @@ static ZK_IMAGE_TAG: &'static str = "3.9.0";
 static PERSISTENT_OPEN: &zk::CreateOptions<'static> = &zk::CreateMode::Persistent.with_acls(zk::Acls::anyone_all());
 static CONTAINER_OPEN: &zk::CreateOptions<'static> = &zk::CreateMode::Container.with_acls(zk::Acls::anyone_all());
 
+fn env_toggle(name: &str) -> bool {
+    match std::env::var(name) {
+        Ok(v) if v == "true" => true,
+        Ok(v) if v == "false" => false,
+        _ => rand::random(),
+    }
+}
+
 fn random_data() -> Vec<u8> {
     let rng = rand::thread_rng();
     rng.sample_iter(Standard).take(32).collect()
@@ -163,6 +171,7 @@ struct Tls {
     ca: String,
     cert: String,
     key: String,
+    hostname_verification: bool,
 }
 
 struct Server {
@@ -221,16 +230,10 @@ impl Server {
     }
 
     pub fn with_options(options: ServerOptions<'_>) -> Self {
-        let tls = options.tls.unwrap_or_else(|| match std::env::var("ZK_TEST_TLS") {
-            Ok(v) if v == "true" => true,
-            Ok(v) if v == "false" => false,
-            _ => rand::random(),
-        });
+        let tls = options.tls.unwrap_or_else(|| env_toggle("ZK_TEST_TLS"));
         if tls {
-            println!("starting tls zookeeper server ...");
             Self::tls(options)
         } else {
-            println!("starting plaintext zookeeper server ...");
             Self::plaintext(options)
         }
     }
@@ -241,9 +244,14 @@ impl Server {
 
     fn tls(options: ServerOptions<'_>) -> Self {
         let dir = tempdir().unwrap();
+        let hostname_verification = env_toggle("ZK_TLS_HOSTNAME_VERIFICATION");
+        println!(
+            "starting tls zookeeper server with hostname verification {} ...",
+            if hostname_verification { "enabled" } else { "disabled" }
+        );
 
         let (ca_cert, ca_cert_pem) = generate_ca_cert();
-        let server_cert = generate_server_cert();
+        let server_cert = generate_server_cert(hostname_verification);
         let signed_server_cert = server_cert.serialize_pem_with_signer(&ca_cert).unwrap();
 
         // ZooKeeper needs a keystore with both key and signed cert.
@@ -304,14 +312,15 @@ serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
         let container = unsafe { std::mem::transmute(docker.run(image)) };
 
         Self {
-            tls: Some(Tls { ca: ca_cert_pem, cert: signed_client_cert, key: client_key }),
+            tls: Some(Tls { ca: ca_cert_pem, cert: signed_client_cert, key: client_key, hostname_verification }),
             _dir: Some(dir),
             _docker: docker,
             container,
         }
     }
 
     fn plaintext(options: ServerOptions<'_>) -> Self {
+        println!("starting plaintext zookeeper server ...");
         let docker = Box::new(DockerCli::default());
         let image = zookeeper_image(options.into());
         let container = unsafe { std::mem::transmute(docker.run(image)) };
@@ -337,11 +346,14 @@ serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
         let Some(tls) = self.tls.as_ref() else {
             return connector;
         };
-        let tls_options = zk::TlsOptions::default()
+        let mut tls_options = zk::TlsOptions::default()
             .with_pem_ca_certs(&tls.ca)
             .unwrap()
             .with_pem_identity(&tls.cert, &tls.key)
             .unwrap();
+        if !tls.hostname_verification {
+            tls_options = unsafe { tls_options.with_no_hostname_verification() };
+        }
         connector.tls(tls_options);
         connector
     }
@@ -1595,8 +1607,9 @@ fn generate_ca_cert() -> (Certificate, String) {
     (Certificate::from_params(ca_cert_params).unwrap(), ca_cert_pem)
 }
 
-fn generate_server_cert() -> Certificate {
-    let mut params = CertificateParams::new(vec!["127.0.0.1".to_string()]);
+fn generate_server_cert(hostname_verification: bool) -> Certificate {
+    let san = if hostname_verification { vec!["127.0.0.1".to_string()] } else { vec![] };
+    let mut params = CertificateParams::new(san);
     params.key_usages = vec![rcgen::KeyUsagePurpose::DigitalSignature, rcgen::KeyUsagePurpose::KeyEncipherment];
     params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
     params.distinguished_name.push(rcgen::DnType::CommonName, "server");
