From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 055C87C7E4 for ; Fri, 5 Nov 2021 14:04:36 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BC0CBBCC3 for ; Fri, 5 Nov 2021 14:04:05 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id EB6B1BCAC for ; Fri, 5 Nov 2021 14:04:04 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C02D846A82 for ; Fri, 5 Nov 2021 14:04:04 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Fri, 5 Nov 2021 14:03:41 +0100 Message-Id: <20211105130359.40803-5-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211105130359.40803-1-f.gruenbichler@proxmox.com> References: <20211105130359.40803-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.319 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH proxmox-websocket-tunnel 3/4] add fingerprint validation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2021 13:04:36 -0000 in case we have no explicit fingerprint, we use openssl's regular "PEER" verification. if we have a fingerprint, we ignore openssl altogether and just verify the fingerprint of the presented leaf certificate. Signed-off-by: Fabian Grünbichler --- Cargo.toml | 1 + src/main.rs | 47 ++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9d2a8c6..adf83f9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,6 +16,7 @@ futures-util = "0.3" hyper = { version = "0.14" } openssl = "0.10" percent-encoding = "2" +proxmox = { version = "0.15" } proxmox-http = { version = "0.5.2", path = "../proxmox/proxmox-http", features = ["websocket", "client"] } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" diff --git a/src/main.rs b/src/main.rs index 150c1cf..0733141 100644 --- a/src/main.rs +++ b/src/main.rs @@ -138,9 +138,50 @@ impl CtrlTunnel { } let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls()).unwrap(); - if fingerprint.is_some() { - // FIXME actually verify fingerprint via callback! - ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); + if let Some(expected) = fingerprint { + ssl_connector_builder.set_verify_callback( + openssl::ssl::SslVerifyMode::NONE, + move |_valid, ctx| { + let cert = match ctx.current_cert() { + Some(cert) => cert, + None => { + eprintln!("SSL context lacks current certificate."); + return false; + } + }; + + let depth = ctx.error_depth(); + if depth != 0 { + return true; + } + + let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { + Ok(fp) => fp, + Err(err) => { + // should not happen + eprintln!("failed to calculate certificate FP - {}", err); + return false; + } + }; + let fp_string = proxmox::tools::digest_to_hex(&fp); + let fp_string = fp_string + .as_bytes() + .chunks(2) + .map(|v| std::str::from_utf8(v).unwrap()) + .collect::>() + .join(":"); + + let expected = expected.to_lowercase(); + if expected == fp_string { + true + } else { + eprintln!("certificate fingerprint does not match expected fingerprint!"); + eprintln!("expected: {}", expected); + eprintln!("encountered: {}", fp_string); + false + } + }, + ); } else { ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::PEER); } -- 2.30.2