From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9001C7AB0D for ; Mon, 10 May 2021 10:53:21 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8D8BF158FC for ; Mon, 10 May 2021 10:52:51 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id E42B6158F1 for ; Mon, 10 May 2021 10:52:50 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BD82243E58 for ; Mon, 10 May 2021 10:52:50 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Mon, 10 May 2021 10:52:33 +0200 Message-Id: <20210510085234.775062-3-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210510085234.775062-1-f.gruenbichler@proxmox.com> References: <20210510085234.775062-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.018 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 3/4] client: refactor verification callback X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2021 08:53:21 -0000 return a result with optional fingerprint instead of tuple, allowing easy extraction of a meaningful error message. Signed-off-by: Fabian Grünbichler --- src/client/http_client.rs | 40 +++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/src/client/http_client.rs b/src/client/http_client.rs index 59162c76..5ba82468 100644 --- a/src/client/http_client.rs +++ b/src/client/http_client.rs @@ -316,9 +316,9 @@ impl HttpClient { let fingerprint_cache = options.fingerprint_cache; let prefix = options.prefix.clone(); ssl_connector_builder.set_verify_callback(openssl::ssl::SslVerifyMode::PEER, move |valid, ctx| { - let (valid, fingerprint) = Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive); - if valid { - if let Some(fingerprint) = fingerprint { + match Self::verify_callback(valid, ctx, expected_fingerprint.as_ref(), interactive) { + Ok(None) => true, + Ok(Some(fingerprint)) => { if fingerprint_cache && prefix.is_some() { if let Err(err) = store_fingerprint( prefix.as_ref().unwrap(), &server, &fingerprint) { @@ -326,9 +326,13 @@ impl HttpClient { } } *verified_fingerprint.lock().unwrap() = Some(fingerprint); - } + true + }, + Err(err) => { + eprintln!("certificate validation failed - {}", err); + false + }, } - valid }); } else { ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); @@ -474,24 +478,27 @@ impl HttpClient { } fn verify_callback( - valid: bool, + openssl_valid: bool, ctx: &mut X509StoreContextRef, expected_fingerprint: Option<&String>, interactive: bool, - ) -> (bool, Option) { - if valid { return (true, None); } + ) -> Result, Error> { + + if openssl_valid { + return Ok(None); + } let cert = match ctx.current_cert() { Some(cert) => cert, - None => return (false, None), + None => bail!("context lacks current certificate."), }; let depth = ctx.error_depth(); - if depth != 0 { return (false, None); } + if depth != 0 { bail!("context depth != 0") } let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { Ok(fp) => fp, - Err(_) => return (false, None), // should not happen + Err(err) => bail!("failed to calculate certificate FP - {}", err), // should not happen }; let fp_string = proxmox::tools::digest_to_hex(&fp); let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap()) @@ -500,7 +507,7 @@ impl HttpClient { if let Some(expected_fingerprint) = expected_fingerprint { let expected_fingerprint = expected_fingerprint.to_lowercase(); if expected_fingerprint == fp_string { - return (true, Some(fp_string)); + return Ok(Some(fp_string)); } else { eprintln!("WARNING: certificate fingerprint does not match expected fingerprint!"); eprintln!("expected: {}", expected_fingerprint); @@ -519,18 +526,19 @@ impl HttpClient { Ok(_) => { let trimmed = line.trim(); if trimmed == "y" || trimmed == "Y" { - return (true, Some(fp_string)); + return Ok(Some(fp_string)); } else if trimmed == "n" || trimmed == "N" { - return (false, None); + bail!("Certificate fingerprint was not confirmed."); } else { continue; } } - Err(_) => return (false, None), + Err(err) => bail!("Certificate fingerprint was not confirmed - {}.", err), } } } - (false, None) + + bail!("Certificate fingerprint was not confirmed."); } pub async fn request(&self, mut req: Request) -> Result { -- 2.20.1