client: refactor verification callback
return a result with optional fingerprint instead of tuple, allowing easy extraction of a meaningful error message. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
56d98ba966
commit
065013ccec
@ -316,9 +316,9 @@ impl HttpClient {
|
|||||||
let fingerprint_cache = options.fingerprint_cache;
|
let fingerprint_cache = options.fingerprint_cache;
|
||||||
let prefix = options.prefix.clone();
|
let prefix = options.prefix.clone();
|
||||||
ssl_connector_builder.set_verify_callback(openssl::ssl::SslVerifyMode::PEER, move |valid, ctx| {
|
ssl_connector_builder.set_verify_callback(openssl::ssl::SslVerifyMode::PEER, move |valid, ctx| {
|
||||||
let (valid, fingerprint) = Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive);
|
match Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive) {
|
||||||
if valid {
|
Ok(None) => true,
|
||||||
if let Some(fingerprint) = fingerprint {
|
Ok(Some(fingerprint)) => {
|
||||||
if fingerprint_cache && prefix.is_some() {
|
if fingerprint_cache && prefix.is_some() {
|
||||||
if let Err(err) = store_fingerprint(
|
if let Err(err) = store_fingerprint(
|
||||||
prefix.as_ref().unwrap(), &server, &fingerprint) {
|
prefix.as_ref().unwrap(), &server, &fingerprint) {
|
||||||
@ -326,9 +326,13 @@ impl HttpClient {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
*verified_fingerprint.lock().unwrap() = Some(fingerprint);
|
*verified_fingerprint.lock().unwrap() = Some(fingerprint);
|
||||||
|
true
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
eprintln!("certificate validation failed - {}", err);
|
||||||
|
false
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
|
||||||
valid
|
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE);
|
ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE);
|
||||||
@ -474,24 +478,27 @@ impl HttpClient {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn verify_callback(
|
fn verify_callback(
|
||||||
valid: bool,
|
openssl_valid: bool,
|
||||||
ctx: &mut X509StoreContextRef,
|
ctx: &mut X509StoreContextRef,
|
||||||
expected_fingerprint: Option<&String>,
|
expected_fingerprint: Option<&String>,
|
||||||
interactive: bool,
|
interactive: bool,
|
||||||
) -> (bool, Option<String>) {
|
) -> Result<Option<String>, Error> {
|
||||||
if valid { return (true, None); }
|
|
||||||
|
if openssl_valid {
|
||||||
|
return Ok(None);
|
||||||
|
}
|
||||||
|
|
||||||
let cert = match ctx.current_cert() {
|
let cert = match ctx.current_cert() {
|
||||||
Some(cert) => cert,
|
Some(cert) => cert,
|
||||||
None => return (false, None),
|
None => bail!("context lacks current certificate."),
|
||||||
};
|
};
|
||||||
|
|
||||||
let depth = ctx.error_depth();
|
let depth = ctx.error_depth();
|
||||||
if depth != 0 { return (false, None); }
|
if depth != 0 { bail!("context depth != 0") }
|
||||||
|
|
||||||
let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
|
let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
|
||||||
Ok(fp) => fp,
|
Ok(fp) => fp,
|
||||||
Err(_) => return (false, None), // should not happen
|
Err(err) => bail!("failed to calculate certificate FP - {}", err), // should not happen
|
||||||
};
|
};
|
||||||
let fp_string = proxmox::tools::digest_to_hex(&fp);
|
let fp_string = proxmox::tools::digest_to_hex(&fp);
|
||||||
let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
|
let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
|
||||||
@ -500,7 +507,7 @@ impl HttpClient {
|
|||||||
if let Some(expected_fingerprint) = expected_fingerprint {
|
if let Some(expected_fingerprint) = expected_fingerprint {
|
||||||
let expected_fingerprint = expected_fingerprint.to_lowercase();
|
let expected_fingerprint = expected_fingerprint.to_lowercase();
|
||||||
if expected_fingerprint == fp_string {
|
if expected_fingerprint == fp_string {
|
||||||
return (true, Some(fp_string));
|
return Ok(Some(fp_string));
|
||||||
} else {
|
} else {
|
||||||
eprintln!("WARNING: certificate fingerprint does not match expected fingerprint!");
|
eprintln!("WARNING: certificate fingerprint does not match expected fingerprint!");
|
||||||
eprintln!("expected: {}", expected_fingerprint);
|
eprintln!("expected: {}", expected_fingerprint);
|
||||||
@ -519,18 +526,19 @@ impl HttpClient {
|
|||||||
Ok(_) => {
|
Ok(_) => {
|
||||||
let trimmed = line.trim();
|
let trimmed = line.trim();
|
||||||
if trimmed == "y" || trimmed == "Y" {
|
if trimmed == "y" || trimmed == "Y" {
|
||||||
return (true, Some(fp_string));
|
return Ok(Some(fp_string));
|
||||||
} else if trimmed == "n" || trimmed == "N" {
|
} else if trimmed == "n" || trimmed == "N" {
|
||||||
return (false, None);
|
bail!("Certificate fingerprint was not confirmed.");
|
||||||
} else {
|
} else {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Err(_) => return (false, None),
|
Err(err) => bail!("Certificate fingerprint was not confirmed - {}.", err),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
(false, None)
|
|
||||||
|
bail!("Certificate fingerprint was not confirmed.");
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn request(&self, mut req: Request<Body>) -> Result<Value, Error> {
|
pub async fn request(&self, mut req: Request<Body>) -> Result<Value, Error> {
|
||||||
|
Loading…
Reference in New Issue
Block a user