update main example: proper ss cert check, changes in lib API

2024-08-06 11:57:42 +04:00 · 2024-08-06 11:57:42 +04:00 · 5533ec0d2b
commit 5533ec0d2b
parent 49a50aecd9
4 changed files with 229 additions and 62 deletions
--- a/examples/main.rs
+++ b/examples/main.rs
@ -1,7 +1,11 @@
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio_rustls::rustls::{
-    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    ClientConfig, SignatureScheme,
+use std::{io::Write, os::fd::AsFd, sync::Mutex};
+
+use dashmap::DashMap;
+use tokio::io::AsyncBufReadExt;
+use tokio_gemini::certs::{
+    fingerprint::{self, generate_fingerprint},
+    insecure::AllowAllCertVerifier,
+    verifier::{SelfsignedCert, SelfsignedCertVerifier},
 };

 #[tokio::main]
@ -22,91 +26,175 @@ async fn main() -> Result<(), tokio_gemini::LibError> {
    }

    let client = if insecure {
-        tokio_gemini::Client::from(get_insecure_config())
+        tokio_gemini::Client::builder()
+            .with_custom_verifier(AllowAllCertVerifier::yes_i_know_what_i_am_doing())
+            .build()
    } else {
-        tokio_gemini::Client::default()
+        tokio_gemini::Client::builder()
+            .with_webpki_roots() // TODO: do we really need them?
+            .with_selfsigned_cert_verifier(CertVerifier::init().await?)
+            .build()
    };
+
    let mut resp = client.request(&url).await?;
+
    {
        let status_code = resp.status().status_code();
        let status_num: u8 = status_code.into();
        eprintln!("{} {:?}", status_num, status_code);
    }
+
    if resp.status().reply_type() == tokio_gemini::ReplyType::Success {
        let mime = resp.mime()?;
        eprintln!("Mime: {}", mime);
-        let mut buf = [0u8, 128];
-        let body = resp.body();
+
        if mime.type_() == mime::TEXT {
-            loop {
-                let n = body.read(&mut buf).await?;
-                if n == 0 {
-                    break;
-                }
-                print!("{}", std::str::from_utf8(&buf[..n])?);
-            }
+            println!("{}", resp.text().await?);
        } else {
            eprintln!("Downloading into content.bin");
            let mut f = tokio::fs::File::create("content.bin").await?;
-            loop {
-                let n = body.read(&mut buf).await?;
-                if n == 0 {
-                    break;
-                }
-                f.write_all(&buf[..n]).await?;
-            }
+            tokio::io::copy(&mut resp.stream(), &mut f).await?;
        }
    } else {
        eprintln!("Message: {}", resp.message());
    }
+
    Ok(())
 }

-fn get_insecure_config() -> ClientConfig {
-    ClientConfig::builder()
-        .dangerous()
-        .with_custom_certificate_verifier(std::sync::Arc::new(NoCertVerification {}))
-        .with_no_client_auth()
+struct CertVerifier {
+    f: Mutex<std::fs::File>,
+    map: DashMap<String, SelfsignedCert>,
 }

-#[derive(Debug)]
-struct NoCertVerification;
+impl CertVerifier {
+    async fn init() -> Result<Self, tokio_gemini::LibError> {
+        let map = DashMap::new();

-impl ServerCertVerifier for NoCertVerification {
-    fn verify_server_cert(
-        &self,
-        end_entity: &tokio_rustls::rustls::pki_types::CertificateDer<'_>,
-        intermediates: &[tokio_rustls::rustls::pki_types::CertificateDer<'_>],
-        server_name: &tokio_rustls::rustls::pki_types::ServerName<'_>,
-        ocsp_response: &[u8],
-        now: tokio_rustls::rustls::pki_types::UnixTime,
-    ) -> Result<ServerCertVerified, tokio_rustls::rustls::Error> {
-        Ok(ServerCertVerified::assertion())
-    }
+        if tokio::fs::try_exists("known_hosts").await? {
+            let mut f = tokio::fs::OpenOptions::new()
+                .read(true)
+                .open("known_hosts")
+                .await?;

-    fn verify_tls12_signature(
-        &self,
-        message: &[u8],
-        cert: &tokio_rustls::rustls::pki_types::CertificateDer<'_>,
-        dss: &tokio_rustls::rustls::DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, tokio_rustls::rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-    }
+            let mut reader = tokio::io::BufReader::new(&mut f);

-    fn verify_tls13_signature(
-        &self,
-        message: &[u8],
-        cert: &tokio_rustls::rustls::pki_types::CertificateDer<'_>,
-        dss: &tokio_rustls::rustls::DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, tokio_rustls::rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-    }
+            let mut buf = String::new();
+            loop {
+                buf.clear();
+                let n = reader.read_line(&mut buf).await?;
+                if n == 0 {
+                    break;
+                }

-    fn supported_verify_schemes(&self) -> Vec<tokio_rustls::rustls::SignatureScheme> {
-        vec![
-            SignatureScheme::ECDSA_NISTP256_SHA256,
-            SignatureScheme::ECDSA_NISTP384_SHA384,
-            SignatureScheme::ECDSA_NISTP521_SHA512,
-        ]
+                // Format:
+                // host <space> expires <space> hash-algo <space> fingerprint
+                // Example:
+                // dc09.ru 1722930541 sha512 dGVzdHRlc3R0ZXN0Cg
+                if let [host, expires, algo, fp] = buf
+                    .split_whitespace()
+                    .take(4)
+                    .collect::<Vec<&str>>()
+                    .as_slice()
+                {
+                    let expires = if let Ok(num) = expires.parse::<u64>() {
+                        num
+                    } else {
+                        eprintln!("Cannot parse expires = {:?} as u64", expires);
+                        continue;
+                    };
+
+                    let algo = match algo {
+                        &"sha256" => fingerprint::Algorithm::Sha256,
+                        &"sha512" => fingerprint::Algorithm::Sha512,
+                        &_ => {
+                            eprintln!("Unknown hash algorithm {:?}, skipping", algo);
+                            continue;
+                        }
+                    };
+
+                    map.insert(
+                        (*host).to_owned(),
+                        SelfsignedCert {
+                            algo,
+                            fingerprint: (*fp).to_owned(),
+                            expires,
+                        },
+                    );
+                } else {
+                    eprintln!("Cannot parse line: {:?}", buf);
+                    continue;
+                }
+            }
+        }
+
+        let f = Mutex::new(
+            std::fs::OpenOptions::new()
+                .append(true)
+                .create(true)
+                .open("known_hosts")?,
+        );
+
+        Ok(CertVerifier { f, map })
+    }
+}
+
+impl SelfsignedCertVerifier for CertVerifier {
+    fn verify(
+        &self,
+        cert: &tokio_gemini::certs::verifier::CertificateDer,
+        host: &str,
+        _now: tokio_gemini::certs::verifier::UnixTime,
+    ) -> Result<bool, tokio_rustls::rustls::Error> {
+        if let Some(known_cert) = self.map.get(host) {
+            // if host is found in known_hosts, compare certs
+            let this_fp = generate_fingerprint(cert, known_cert.algo);
+            if this_fp == known_cert.fingerprint {
+                // current cert hash matches known cert hash
+                eprintln!("Cert for {} matched: {}", &host, &this_fp);
+                Ok(true)
+            } else {
+                // TODO (after implementing `expires`) update cert if known is expired
+                eprintln!(
+                    "Error: certs do not match! Possibly MitM attack.\nKnown FP: {}\nGot:      {}",
+                    &known_cert.fingerprint, &this_fp,
+                );
+                Ok(false)
+            }
+        } else {
+            // host is unknown, generate hash and add to known_hosts
+            let this_fp = generate_fingerprint(cert, fingerprint::Algorithm::Sha512);
+            eprintln!(
+                "Warning: updating known_hosts with cert {} for {}",
+                &this_fp, &host,
+            );
+
+            (|| {
+                // trick with cloning file descriptor
+                // because we are not allowed to mutate &self
+                let mut f = std::fs::File::from(
+                    self.f.lock().unwrap().as_fd().try_clone_to_owned().unwrap(),
+                );
+                f.write_all(host.as_bytes())?;
+                f.write_all(b" 0 sha512 ")?; // TODO after implementing `expires`
+                f.write_all(&this_fp.as_bytes())?;
+                f.write(b"\n")?;
+                Ok::<(), std::io::Error>(())
+            })()
+            .unwrap_or_else(|e| {
+                eprintln!("Could not add cert to file: {:?}", e);
+            });
+
+            self.map.insert(
+                host.to_owned(),
+                SelfsignedCert {
+                    algo: fingerprint::Algorithm::Sha512,
+                    fingerprint: this_fp,
+                    expires: 0, // TODO after implementing cert parsing in tokio-gemini
+                },
+            );
+
+            Ok(true)
+        }
    }
 }