diff options
| author | TheAifam5 <theaifam5@gmail.com> | 2021-08-09 16:53:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-09 16:53:21 +0200 |
| commit | 353a4a1af3165b2c59319865350d70a99105269c (patch) | |
| tree | 32eb71ccef95552bd4ec4af176b7ddcfe51d172c /extensions/tls/lib.rs | |
| parent | 3ab50b355141f744a0acec1a5cc3b3b95247d4b1 (diff) | |
feat: Add --unsafely-treat-insecure-origin-as-secure flag to disable SSL verification (#11324)
This commit adds "--unsafely-treat-insecure-origin-as-secure" flag
that allows to disable SSL verification for all domains, or specific
domains if they were passed as an argument to the flag.
Co-authored-by: Bartek IwaĆczuk <biwanczuk@gmail.com>
Diffstat (limited to 'extensions/tls/lib.rs')
| -rw-r--r-- | extensions/tls/lib.rs | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/extensions/tls/lib.rs b/extensions/tls/lib.rs index f91249792..2a15b4e75 100644 --- a/extensions/tls/lib.rs +++ b/extensions/tls/lib.rs @@ -16,20 +16,65 @@ use reqwest::header::HeaderMap; use reqwest::header::USER_AGENT; use reqwest::redirect::Policy; use reqwest::Client; +use rustls::internal::msgs::handshake::DigitallySignedStruct; +use rustls::Certificate; use rustls::ClientConfig; +use rustls::HandshakeSignatureValid; use rustls::RootCertStore; +use rustls::ServerCertVerified; +use rustls::ServerCertVerifier; use rustls::StoresClientSessions; +use rustls::TLSError; use serde::Deserialize; use std::collections::HashMap; use std::io::BufReader; use std::io::Cursor; use std::sync::Arc; +use webpki::DNSNameRef; /// This extension has no runtime apis, it only exports some shared native functions. pub fn init() -> Extension { Extension::builder().build() } +pub struct NoCertificateVerification(pub Vec<String>); + +impl ServerCertVerifier for NoCertificateVerification { + fn verify_server_cert( + &self, + _roots: &RootCertStore, + _presented_certs: &[Certificate], + dns_name: DNSNameRef<'_>, + _ocsp: &[u8], + ) -> Result<ServerCertVerified, TLSError> { + let dns_name: &str = dns_name.into(); + let dns_name: String = dns_name.to_owned(); + if self.0.is_empty() || self.0.contains(&dns_name) { + Ok(ServerCertVerified::assertion()) + } else { + Err(TLSError::General(dns_name)) + } + } + + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &Certificate, + _dss: &DigitallySignedStruct, + ) -> Result<HandshakeSignatureValid, TLSError> { + Ok(HandshakeSignatureValid::assertion()) + } + + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &Certificate, + _dss: &DigitallySignedStruct, + ) -> Result<HandshakeSignatureValid, TLSError> { + Ok(HandshakeSignatureValid::assertion()) + } +} + #[derive(Deserialize, Default, Debug, Clone)] #[serde(rename_all = "camelCase")] #[serde(default)] @@ -80,6 +125,7 @@ pub fn create_default_root_cert_store() -> RootCertStore { pub fn create_client_config( root_cert_store: Option<RootCertStore>, ca_data: Option<Vec<u8>>, + unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>, ) -> Result<ClientConfig, AnyError> { let mut tls_config = ClientConfig::new(); tls_config.set_persistence(CLIENT_SESSION_MEMORY_CACHE.clone()); @@ -95,6 +141,12 @@ pub fn create_client_config( } } + if let Some(ic_allowlist) = unsafely_treat_insecure_origin_as_secure { + tls_config.dangerous().set_certificate_verifier(Arc::new( + NoCertificateVerification(ic_allowlist), + )); + } + Ok(tls_config) } @@ -105,8 +157,13 @@ pub fn create_http_client( root_cert_store: Option<RootCertStore>, ca_data: Option<Vec<u8>>, proxy: Option<Proxy>, + unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>, ) -> Result<Client, AnyError> { - let tls_config = create_client_config(root_cert_store, ca_data)?; + let tls_config = create_client_config( + root_cert_store, + ca_data, + unsafely_treat_insecure_origin_as_secure, + )?; let mut headers = HeaderMap::new(); headers.insert(USER_AGENT, user_agent.parse().unwrap()); let mut builder = Client::builder() |