From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 9001C7AB0D
for <pbs-devel@lists.proxmox.com>; Mon, 10 May 2021 10:53:21 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 8D8BF158FC
for <pbs-devel@lists.proxmox.com>; Mon, 10 May 2021 10:52:51 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS id E42B6158F1
for <pbs-devel@lists.proxmox.com>; Mon, 10 May 2021 10:52:50 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BD82243E58
for <pbs-devel@lists.proxmox.com>; Mon, 10 May 2021 10:52:50 +0200 (CEST)
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Mon, 10 May 2021 10:52:33 +0200
Message-Id: <20210510085234.775062-3-f.gruenbichler@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210510085234.775062-1-f.gruenbichler@proxmox.com>
References: <20210510085234.775062-1-f.gruenbichler@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.018 Adjusted score from AWL reputation of From: address
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox-backup 3/4] client: refactor
verification callback
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
<pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 08:53:21 -0000
return a result with optional fingerprint instead of tuple, allowing
easy extraction of a meaningful error message.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/client/http_client.rs | 40 +++++++++++++++++++++++----------------
1 file changed, 24 insertions(+), 16 deletions(-)
diff --git a/src/client/http_client.rs b/src/client/http_client.rs
index 59162c76..5ba82468 100644
--- a/src/client/http_client.rs
+++ b/src/client/http_client.rs
@@ -316,9 +316,9 @@ impl HttpClient {
let fingerprint_cache = options.fingerprint_cache;
let prefix = options.prefix.clone();
ssl_connector_builder.set_verify_callback(openssl::ssl::SslVerifyMode::PEER, move |valid, ctx| {
- let (valid, fingerprint) = Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive);
- if valid {
- if let Some(fingerprint) = fingerprint {
+ match Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive) {
+ Ok(None) => true,
+ Ok(Some(fingerprint)) => {
if fingerprint_cache && prefix.is_some() {
if let Err(err) = store_fingerprint(
prefix.as_ref().unwrap(), &server, &fingerprint) {
@@ -326,9 +326,13 @@ impl HttpClient {
}
}
*verified_fingerprint.lock().unwrap() = Some(fingerprint);
- }
+ true
+ },
+ Err(err) => {
+ eprintln!("certificate validation failed - {}", err);
+ false
+ },
}
- valid
});
} else {
ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE);
@@ -474,24 +478,27 @@ impl HttpClient {
}
fn verify_callback(
- valid: bool,
+ openssl_valid: bool,
ctx: &mut X509StoreContextRef,
expected_fingerprint: Option<&String>,
interactive: bool,
- ) -> (bool, Option<String>) {
- if valid { return (true, None); }
+ ) -> Result<Option<String>, Error> {
+
+ if openssl_valid {
+ return Ok(None);
+ }
let cert = match ctx.current_cert() {
Some(cert) => cert,
- None => return (false, None),
+ None => bail!("context lacks current certificate."),
};
let depth = ctx.error_depth();
- if depth != 0 { return (false, None); }
+ if depth != 0 { bail!("context depth != 0") }
let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
Ok(fp) => fp,
- Err(_) => return (false, None), // should not happen
+ Err(err) => bail!("failed to calculate certificate FP - {}", err), // should not happen
};
let fp_string = proxmox::tools::digest_to_hex(&fp);
let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
@@ -500,7 +507,7 @@ impl HttpClient {
if let Some(expected_fingerprint) = expected_fingerprint {
let expected_fingerprint = expected_fingerprint.to_lowercase();
if expected_fingerprint == fp_string {
- return (true, Some(fp_string));
+ return Ok(Some(fp_string));
} else {
eprintln!("WARNING: certificate fingerprint does not match expected fingerprint!");
eprintln!("expected: {}", expected_fingerprint);
@@ -519,18 +526,19 @@ impl HttpClient {
Ok(_) => {
let trimmed = line.trim();
if trimmed == "y" || trimmed == "Y" {
- return (true, Some(fp_string));
+ return Ok(Some(fp_string));
} else if trimmed == "n" || trimmed == "N" {
- return (false, None);
+ bail!("Certificate fingerprint was not confirmed.");
} else {
continue;
}
}
- Err(_) => return (false, None),
+ Err(err) => bail!("Certificate fingerprint was not confirmed - {}.", err),
}
}
}
- (false, None)
+
+ bail!("Certificate fingerprint was not confirmed.");
}
pub async fn request(&self, mut req: Request<Body>) -> Result<Value, Error> {
--
2.20.1