From 7660d730bf848ba3af4c6aede9e8a98ad29b2fac Mon Sep 17 00:00:00 2001 From: kpcyrd Date: Tue, 2 Jul 2024 16:04:33 +0200 Subject: [PATCH] Make DangerousAcceptAllVerifier wrap a CryptoProvider Co-authored-by: Daniel McCarney --- src/client/conn.rs | 70 +++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/src/client/conn.rs b/src/client/conn.rs index d5b12da6..910ed09d 100644 --- a/src/client/conn.rs +++ b/src/client/conn.rs @@ -38,6 +38,7 @@ use tokio_rustls::client::TlsStream; #[cfg(feature = "tls-rust")] use tokio_rustls::{ rustls::client::danger::{ServerCertVerified, ServerCertVerifier}, + rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider}, rustls::pki_types::{ CertificateDer as Certificate, PrivateKeyDer as PrivateKey, ServerName, UnixTime, }, @@ -224,56 +225,58 @@ impl Connection { tx: UnboundedSender, ) -> error::Result>> { #[derive(Debug)] - struct DangerousAcceptAllVerifier; + struct DangerousAcceptAllVerifier(CryptoProvider); + + impl DangerousAcceptAllVerifier { + fn new() -> Self { + DangerousAcceptAllVerifier(CryptoProvider::get_default().unwrap().as_ref().clone()) + } + } impl ServerCertVerifier for DangerousAcceptAllVerifier { fn verify_server_cert( &self, - _: &Certificate, - _: &[Certificate], - _: &ServerName, - _: &[u8], - _: UnixTime, + _end_entity: &Certificate, + _intermediates: &[Certificate], + _server_name: &ServerName, + _oscp: &[u8], + _now: UnixTime, ) -> Result { return Ok(ServerCertVerified::assertion()); } fn verify_tls12_signature( &self, - _message: &[u8], - _cert: &Certificate<'_>, - _dss: &rustls::DigitallySignedStruct, + message: &[u8], + cert: &Certificate<'_>, + dss: &rustls::DigitallySignedStruct, ) -> Result { - Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + verify_tls12_signature( + message, + cert, + dss, + &self.0.signature_verification_algorithms, + ) } fn verify_tls13_signature( &self, - _message: &[u8], - _cert: &Certificate<'_>, - _dss: &rustls::DigitallySignedStruct, + message: &[u8], + cert: &Certificate<'_>, + dss: &rustls::DigitallySignedStruct, ) -> Result { - Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + verify_tls13_signature( + message, + cert, + dss, + &self.0.signature_verification_algorithms, + ) } fn supported_verify_schemes(&self) -> Vec { - vec![ - rustls::SignatureScheme::RSA_PKCS1_SHA1, - rustls::SignatureScheme::ECDSA_SHA1_Legacy, - rustls::SignatureScheme::RSA_PKCS1_SHA256, - rustls::SignatureScheme::ECDSA_NISTP256_SHA256, - rustls::SignatureScheme::RSA_PKCS1_SHA384, - rustls::SignatureScheme::ECDSA_NISTP384_SHA384, - rustls::SignatureScheme::RSA_PKCS1_SHA512, - rustls::SignatureScheme::ECDSA_NISTP521_SHA512, - rustls::SignatureScheme::RSA_PSS_SHA256, - rustls::SignatureScheme::RSA_PSS_SHA384, - rustls::SignatureScheme::RSA_PSS_SHA512, - rustls::SignatureScheme::ED25519, - rustls::SignatureScheme::ED448, - ] + self.0.signature_verification_algorithms.supported_schemes() } } @@ -334,14 +337,11 @@ impl Connection { let tls_config = if config.dangerously_accept_invalid_certs() { let builder = builder .dangerous() - .with_custom_certificate_verifier(Arc::new(DangerousAcceptAllVerifier)); + .with_custom_certificate_verifier(Arc::new(DangerousAcceptAllVerifier::new())); make_client_auth!(builder) } else { - let mut root_store = RootCertStore::from_iter( - webpki_roots::TLS_SERVER_ROOTS - .iter() - .map(|ta| ta.to_owned()), - ); + let mut root_store = + RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); if let Some(cert_path) = config.cert_path() { if let Ok(file) = File::open(cert_path) {