RUST-1083 Add openssl as an optional TLS provider (#590)

Author: abr-egn

.evergreen/config.yml

@@ -297,7 +297,9 @@ functions:
 
           export CERT_PATH=$DRIVERS_TOOLS/.evergreen/x509gen/client.pem
 
-          .evergreen/run-x509-tests.sh
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} \
+            TLS_FEATURE=${TLS_FEATURE} \
+            .evergreen/run-x509-tests.sh
 
   "run plain tests":
     - command: shell.exec
@@ -376,6 +378,7 @@ functions:
           SINGLE_THREAD=${SINGLE_THREAD} \
             ASYNC_RUNTIME=${ASYNC_RUNTIME} \
             MONGODB_API_VERSION=${MONGODB_API_VERSION} \
+            TLS_FEATURE=${TLS_FEATURE} \
             .evergreen/run-tests.sh
 
   "run serverless tests":
@@ -403,6 +406,7 @@ functions:
           SINGLE_THREAD=${SINGLE_THREAD} \
             ASYNC_RUNTIME=${ASYNC_RUNTIME} \
             MONGODB_API_VERSION=${MONGODB_API_VERSION} \
+            TLS_FEATURE=${TLS_FEATURE} \
             .evergreen/run-serverless-tests.sh
 
   "run atlas tests":
@@ -1350,15 +1354,23 @@ axes:
     display_name: Authentication and TLS
     values:
       - id: "auth-and-tls"
-        display_name: Auth TLS
+        display_name: Auth TLS (Default)
+        variables:
+           AUTH: "auth"
+           SSL: "ssl"
+           TLS_FEATURE: ""
+      - id: "openssl-auth-and-tls"
+        display_name: Auth TLS (OpenSSL)
         variables:
            AUTH: "auth"
            SSL: "ssl"
+           TLS_FEATURE: "openssl-tls"
       - id: "noauth-and-notls"
         display_name: NoAuth NoTLS
         variables:
            AUTH: "noauth"
            SSL: "nossl"
+           TLS_FEATURE: ""
 
   - id: "compressor"
     display_name: "Compressor"
@@ -1539,9 +1551,11 @@ buildvariants:
       - ubuntu-18.04-arm64
       - macos-10.14
       - windows-64-vs2017
-    auth-and-tls: "auth-and-tls"
+    auth-and-tls:
+      - auth-and-tls
+      - openssl-auth-and-tls
     async-runtime: "*"
-  display_name: "${os} X.509 auth with ${async-runtime}"
+  display_name: "${os} X.509 ${auth-and-tls} with ${async-runtime}"
   tasks:
     - "test-x509-auth"
 

.evergreen/env.sh

@@ -14,6 +14,9 @@ if [[ "$OS" == "Windows_NT" ]]; then
     export NVM_SYMLINK
     NVM_ARTIFACTS_PATH=$(cygpath -w "$NODE_ARTIFACTS_PATH/bin")
     export NVM_ARTIFACTS_PATH
+    export OPENSSL_DIR="C:\\openssl"
+    OPENSSL_LIB_PATH=$(cygpath $OPENSSL_DIR/lib)
+    ls $OPENSSL_LIB_PATH
     PATH=$(cygpath $NVM_SYMLINK):$(cygpath $NVM_HOME):$PATH
     export PATH
     echo "updated path on windows PATH=$PATH"

.evergreen/run-async-std-tests.sh

@@ -16,16 +16,16 @@ echo "cargo test options: ${OPTIONS}"
 set +o errexit
 CARGO_RESULT=0
 
-RUST_BACKTRACE=1 cargo test --no-default-features --features async-std-runtime $OPTIONS | tee async-tests.json
+RUST_BACKTRACE=1 cargo test --no-default-features --features async-std-runtime,${TLS_FEATURE} $OPTIONS | tee async-tests.json
 (( CARGO_RESULT = CARGO_RESULT || $? ))
 cat async-tests.json | cargo2junit > async-tests.xml
-RUST_BACKTRACE=1 cargo test sync --no-default-features --features sync $OPTIONS | tee sync-tests.json
+RUST_BACKTRACE=1 cargo test sync --no-default-features --features sync,${TLS_FEATURE} $OPTIONS | tee sync-tests.json
 (( CARGO_RESULT = CARGO_RESULT || $? ))
 cat sync-tests.json | cargo2junit > sync-tests.xml
-RUST_BACKTRACE=1 cargo test --doc sync --no-default-features --features sync $OPTIONS | tee sync-doc-tests.json
+RUST_BACKTRACE=1 cargo test --doc sync --no-default-features --features sync,${TLS_FEATURE} $OPTIONS | tee sync-doc-tests.json
 (( CARGO_RESULT = CARGO_RESULT || $? ))
 cat sync-doc-tests.json | cargo2junit > sync-doc-tests.xml
 
 junit-report-merger results.xml async-tests.xml sync-tests.xml sync-doc-tests.xml
 
-exit $CARGO_RESULT
+exit $CARGO_RESULT

.evergreen/run-serverless-tests.sh

@@ -22,6 +22,8 @@ if [ "$SINGLE_THREAD" = true ]; then
 	OPTIONS="$OPTIONS --test-threads=1"
 fi
 
+FEATURE_FLAGS=${FEATURE_FLAGS},${TLS_FEATURE}
+
 echo "cargo test options: ${DEFAULT_FEATURES} --features $FEATURE_FLAGS ${OPTIONS}"
 
 CARGO_RESULT=0
@@ -46,4 +48,4 @@ cargo_test test::cursor > cursor.xml
 
 junit-report-merger results.xml crud.xml retryable_reads.xml retryable_writes.xml versioned_api.xml sessions.xml transactions.xml load_balancers.xml cursor.xml
 
-exit $CARGO_RESULT
+exit $CARGO_RESULT

.evergreen/run-tokio-tests.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 set -o errexit
+set -o pipefail
 
 source ./.evergreen/env.sh
 
@@ -10,7 +11,7 @@ if [ "$SINGLE_THREAD" = true ]; then
 	OPTIONS="$OPTIONS --test-threads=1"
 fi
 
-FEATURE_FLAGS="zstd-compression,snappy-compression,zlib-compression"
+FEATURE_FLAGS="zstd-compression,snappy-compression,zlib-compression,${TLS_FEATURE}"
 
 echo "cargo test options: --features $FEATURE_FLAGS ${OPTIONS}"
 
@@ -29,4 +30,4 @@ cat sync-doc-tests.json | cargo2junit > sync-doc-tests.xml
 
 junit-report-merger results.xml async-tests.xml sync-tests.xml sync-doc-tests.xml
 
-exit $CARGO_RESULT
+exit $CARGO_RESULT

.evergreen/run-x509-tests.sh

@@ -2,8 +2,9 @@
 
 set -o errexit
 set -o xtrace 
+set -o pipefail
 
-. ~/.cargo/env
+source ./.evergreen/env.sh
 
 export SUBJECT=`openssl x509 -subject -nameopt RFC2253 -noout -inform PEM -in $CERT_PATH`
 
@@ -13,4 +14,19 @@ export SUBJECT=${SUBJECT#"subject="}
 # Remove any leading or trailing whitespace
 export SUBJECT=`echo "$SUBJECT" | awk '{$1=$1;print}'`
 
-RUST_BACKTRACE=1 MONGO_X509_USER="$SUBJECT" cargo test x509
+if [ "$ASYNC_RUNTIME" = "tokio" ]; then
+    RUNTIME_FEATURE="tokio-runtime"
+elif [ "$ASYNC_RUNTIME" = "async-std" ]; then
+    RUNTIME_FEATURE="async-std-runtime"
+else
+    echo "invalid async runtime: ${ASYNC_RUNTIME}" >&2
+    exit 1
+fi
+
+OPTIONS="--no-default-features --features ${RUNTIME_FEATURE},${TLS_FEATURE} -- -Z unstable-options --format json --report-time"
+
+set +o errexit
+RUST_BACKTRACE=1 MONGO_X509_USER="$SUBJECT" cargo test x509 $OPTIONS | tee results.json
+CARGO_EXIT=$?
+cat results.json | cargo2junit > results.xml
+exit $CARGO_EXIT

Cargo.toml

@@ -25,6 +25,7 @@ tokio-runtime = ["tokio/macros", "tokio/net", "tokio/rt", "tokio/time", "serde_b
 async-std-runtime = ["async-std", "async-std/attributes", "async-std-resolver", "tokio-util/compat"]
 sync = ["async-std-runtime"]
 tokio-sync = ["tokio-runtime"]
+openssl-tls = ["openssl", "openssl-probe", "tokio-openssl"]
 
 # Enable support for v0.4 of the chrono crate in the public API of the BSON library.
 bson-chrono-0_4 = ["bson/chrono-0_4"]
@@ -59,6 +60,8 @@ hex = "0.4.0"
 hmac = "0.11"
 lazy_static = "1.4.0"
 md-5 = "0.9.1"
+openssl = { version = "0.10.38", optional = true }
+openssl-probe = { version = "0.1.5", optional = true }
 os_info = { version = "3.0.1", default-features = false }
 percent-encoding = "2.0.0"
 rand = { version = "0.8.3", features = ["small_rng"] }
@@ -72,6 +75,7 @@ stringprep = "0.1.2"
 strsim = "0.10.0"
 take_mut = "0.2.2"
 thiserror = "1.0.24"
+tokio-openssl = { version = "0.6.3", optional = true }
 trust-dns-proto = "0.20.0"
 trust-dns-resolver = "0.20.0"
 typed-builder = "0.9.0"

README.md

@@ -74,6 +74,7 @@ features = ["sync"]
 | `zlib-compression`   | Enable support for compressing messages with [`zlib`](https://zlib.net/)                                                              | `flate2` 1.0                        | no      |
 | `zstd-compression`   | Enable support for compressing messages with [`zstd`](http://facebook.github.io/zstd/).  This flag requires Rust version 1.54.        | `zstd` 0.9.0                        | no      |
 | `snappy-compression` | Enable support for compressing messages with [`snappy`](http://google.github.io/snappy/)                                              | `snap` 1.0.5                        | no      |
+| `openssl-tls`        | Switch TLS connection handling to use ['openssl'](https://docs.rs/openssl/0.10.38/).                                                  | `openssl` 0.10.38                       | no      |
 
 ## Example Usage
 Below are simple examples of using the driver. For more specific examples and the API reference, see the driver's [docs.rs page](https://docs.rs/mongodb/latest).

src/client/options/mod.rs

@@ -7,9 +7,7 @@ use std::{
     collections::HashSet,
     convert::TryFrom,
     fmt::{self, Display, Formatter},
-    fs::File,
     hash::{Hash, Hasher},
-    io::{BufReader, Seek, SeekFrom},
     path::PathBuf,
     str::FromStr,
     sync::Arc,
@@ -18,15 +16,6 @@ use std::{
 
 use derivative::Derivative;
 use lazy_static::lazy_static;
-use rustls::{
-    internal::pemfile,
-    Certificate,
-    RootCertStore,
-    ServerCertVerified,
-    ServerCertVerifier,
-    TLSError,
-};
-use rustls_pemfile::{read_one, Item};
 use serde::{
     de::{Error, Unexpected},
     Deserialize,
@@ -36,7 +25,6 @@ use serde::{
 use serde_with::skip_serializing_none;
 use strsim::jaro_winkler;
 use typed_builder::TypedBuilder;
-use webpki_roots::TLS_SERVER_ROOTS;
 
 #[cfg(test)]
 use crate::srv::LookupHosts;
@@ -788,99 +776,17 @@ pub struct TlsOptions {
     /// [`Client`](../struct.Client.html) will not attempt to verify its identity to the
     /// server.
     pub cert_key_file_path: Option<PathBuf>,
-}
 
-struct NoCertVerifier {}
-
-impl ServerCertVerifier for NoCertVerifier {
-    fn verify_server_cert(
-        &self,
-        _: &RootCertStore,
-        _: &[Certificate],
-        _: webpki::DNSNameRef,
-        _: &[u8],
-    ) -> std::result::Result<ServerCertVerified, TLSError> {
-        Ok(ServerCertVerified::assertion())
-    }
+    /// Whether or not the [`Client`](../struct.Client.html) should return an error if the hostname
+    /// is invalid.
+    ///
+    /// The default value is to error on invalid hostnames.
+    #[cfg(any(feature = "openssl-tls", docsrs))]
+    #[cfg_attr(docsrs, doc(cfg(feature = "openssl-tls")))]
+    pub allow_invalid_hostnames: Option<bool>,
 }
 
 impl TlsOptions {
-    /// Converts `TlsOptions` into a rustls::ClientConfig.
-    pub(crate) fn into_rustls_config(self) -> Result<rustls::ClientConfig> {
-        let mut config = rustls::ClientConfig::new();
-
-        if let Some(true) = self.allow_invalid_certificates {
-            config
-                .dangerous()
-                .set_certificate_verifier(Arc::new(NoCertVerifier {}));
-        }
-
-        let mut store = RootCertStore::empty();
-        if let Some(path) = self.ca_file_path {
-            store
-                .add_pem_file(&mut BufReader::new(File::open(&path)?))
-                .map_err(|_| ErrorKind::InvalidTlsConfig {
-                    message: format!(
-                        "Unable to parse PEM-encoded root certificate from {}",
-                        path.display()
-                    ),
-                })?;
-        } else {
-            store.add_server_trust_anchors(&TLS_SERVER_ROOTS);
-        }
-
-        config.root_store = store;
-
-        if let Some(path) = self.cert_key_file_path {
-            let mut file = BufReader::new(File::open(&path)?);
-            let certs = match pemfile::certs(&mut file) {
-                Ok(certs) => certs,
-                Err(()) => {
-                    return Err(ErrorKind::InvalidTlsConfig {
-                        message: format!(
-                            "Unable to parse PEM-encoded client certificate from {}",
-                            path.display()
-                        ),
-                    }
-                    .into())
-                }
-            };
-
-            file.seek(SeekFrom::Start(0))?;
-            let key = loop {
-                match read_one(&mut file) {
-                    Ok(Some(Item::PKCS8Key(bytes))) | Ok(Some(Item::RSAKey(bytes))) => {
-                        break rustls::PrivateKey(bytes)
-                    }
-                    Ok(Some(_)) => continue,
-                    Ok(None) => {
-                        return Err(ErrorKind::InvalidTlsConfig {
-                            message: format!("No PEM-encoded keys in {}", path.display()),
-                        }
-                        .into())
-                    }
-                    Err(_) => {
-                        return Err(ErrorKind::InvalidTlsConfig {
-                            message: format!(
-                                "Unable to parse PEM-encoded item from {}",
-                                path.display()
-                            ),
-                        }
-                        .into())
-                    }
-                }
-            };
-
-            config
-                .set_single_client_cert(certs, key)
-                .map_err(|e| ErrorKind::InvalidTlsConfig {
-                    message: e.to_string(),
-                })?;
-        }
-
-        Ok(config)
-    }
-
     #[cfg(test)]
     pub(crate) fn serialize_for_client_options<S>(
         tls_options: &TlsOptions,

src/lib.rs

@@ -62,6 +62,7 @@
 //! | `zlib-compression`   | Enable support for compressing messages with [`zlib`](https://zlib.net/)                                                              | `flate2` 1.0                        | no      |
 //! | `zstd-compression`   | Enable support for compressing messages with [`zstd`](http://facebook.github.io/zstd/).  This flag requires Rust version 1.54.        | `zstd` 0.9.0                        | no      |
 //! | `snappy-compression` | Enable support for compressing messages with [`snappy`](http://google.github.io/snappy/)                                              | `snap` 1.0.5                        | no      |
+//! | `openssl-tls`        | Switch TLS connection handling to use ['openssl'](https://docs.rs/openssl/0.10.38/).                                                  | `openssl` 0.10.38                   | no      |
 //!
 //! # Example Usage
 //!