rough integration of async-tls CertChecks (strict and automatic but not more finegrained work)

2026-04-26 01:46:34 +03:00 · 2019-11-11 23:22:02 +01:00
parent b13ca0d077
commit a867452927
4 changed files with 49 additions and 26 deletions
--- a/src/login_param.rs
+++ b/src/login_param.rs
@@ -3,6 +3,10 @@ use std::fmt;

 use crate::context::Context;
 use crate::error::Error;
+use async_std::sync::Arc;
+use async_tls;
+use rustls;
+use webpki;

 #[derive(Copy, Clone, Debug, Display, FromPrimitive)]
 #[repr(i32)]
@@ -251,28 +255,46 @@ fn get_readable_flags(flags: i32) -> String {
    res
 }

-// pub fn dc_build_tls(
-//     certificate_checks: CertificateChecks,
-// ) -> Result<native_tls::TlsConnector, native_tls::Error> {
-//     let mut tls_builder = native_tls::TlsConnector::builder();
-//     match certificate_checks {
-//         CertificateChecks::Automatic => {
-//             // Same as AcceptInvalidCertificates for now.
-//             // TODO: use provider database when it becomes available
-//             tls_builder
-//                 .danger_accept_invalid_hostnames(true)
-//                 .danger_accept_invalid_certs(true)
-//         }
-//         CertificateChecks::Strict => &mut tls_builder,
-//         CertificateChecks::AcceptInvalidHostnames => {
-//             tls_builder.danger_accept_invalid_hostnames(true)
-//         }
-//         CertificateChecks::AcceptInvalidCertificates => tls_builder
-//             .danger_accept_invalid_hostnames(true)
-//             .danger_accept_invalid_certs(true),
-//     }
-//     .build()
-// }
+pub struct NoCertificateVerification {}
+
+impl rustls::ServerCertVerifier for NoCertificateVerification {
+    fn verify_server_cert(
+        &self,
+        _roots: &rustls::RootCertStore,
+        _presented_certs: &[rustls::Certificate],
+        _dns_name: webpki::DNSNameRef<'_>,
+        _ocsp: &[u8],
+    ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
+        Ok(rustls::ServerCertVerified::assertion())
+    }
+}
+
+pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_tls::TlsConnector {
+    let mut config = rustls::ClientConfig::new();
+    match certificate_checks {
+        CertificateChecks::Strict => {}
+        CertificateChecks::Automatic => {
+            // Same as AcceptInvalidCertificates for now.
+            // TODO: use provider database when it becomes available
+            config
+                .dangerous()
+                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
+        }
+        CertificateChecks::AcceptInvalidCertificates => {
+            // TODO: only accept invalid certs
+            config
+                .dangerous()
+                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
+        }
+        CertificateChecks::AcceptInvalidHostnames => {
+            // TODO: only accept invalid hostnames
+            config
+                .dangerous()
+                .set_certificate_verifier(Arc::new(NoCertificateVerification {}));
+        }
+    }
+    Arc::new(config).into()
+}

 #[cfg(test)]
 mod tests {