From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 664A060DDE for ; Thu, 3 Feb 2022 13:42:05 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5C80E26828 for ; Thu, 3 Feb 2022 13:42:05 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 89E8626769 for ; Thu, 3 Feb 2022 13:42:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6246241AF7 for ; Thu, 3 Feb 2022 13:42:02 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Thu, 3 Feb 2022 13:41:27 +0100 Message-Id: <20220203124143.1931377-7-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220203124143.1931377-1-f.gruenbichler@proxmox.com> References: <20220203124143.1931377-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.214 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [main.rs] Subject: [pve-devel] [PATCH v4 proxmox-websocket-tunnel 3/4] add fingerprint validation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2022 12:42:05 -0000 in case we have no explicit fingerprint, we use openssl's regular "PEER" verification. if we have a fingerprint, we ignore openssl verification results altogether and just verify the fingerprint of the presented leaf certificate, skipping the rest of the certificate chain (depth != 0). Signed-off-by: Fabian Grünbichler --- Notes: v4: add comments, improve commit message, switch to PEER mode v3: switch to using hex instead of no-longer-existing digest_to_hex v2: new src/main.rs | 49 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 582214c..8ca7929 100644 --- a/src/main.rs +++ b/src/main.rs @@ -134,9 +134,52 @@ impl CtrlTunnel { } let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?; - if fingerprint.is_some() { - // FIXME actually verify fingerprint via callback! - ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); + if let Some(expected) = fingerprint { + ssl_connector_builder.set_verify_callback( + openssl::ssl::SslVerifyMode::PEER, + move |_valid, ctx| { + let cert = match ctx.current_cert() { + Some(cert) => cert, + None => { + // should not happen + eprintln!("SSL context lacks current certificate."); + return false; + } + }; + + // skip CA certificates, we only care about the peer cert + let depth = ctx.error_depth(); + if depth != 0 { + return true; + } + + let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { + Ok(fp) => fp, + Err(err) => { + // should not happen + eprintln!("failed to calculate certificate FP - {}", err); + return false; + } + }; + let fp_string = hex::encode(&fp); + let fp_string = fp_string + .as_bytes() + .chunks(2) + .map(|v| std::str::from_utf8(v).unwrap()) + .collect::>() + .join(":"); + + let expected = expected.to_lowercase(); + if expected == fp_string { + true + } else { + eprintln!("certificate fingerprint does not match expected fingerprint!"); + eprintln!("expected: {}", expected); + eprintln!("encountered: {}", fp_string); + false + } + }, + ); } else { ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::PEER); } -- 2.30.2