Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-07 08:56:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

rough integration of async-tls CertChecks (strict and automatic but not more finegrained work)

Browse Source
This commit is contained in:
holger krekel
2019-11-11 23:22:02 +01:00
parent 50aa68e047
commit ddcd1d8919
4 changed files with 49 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@@ -684,6 +684,7 @@ dependencies = [
"strum_macros 0.16.0 (registry+https://github.com/rust-lang/crates.io-index)", "strum_macros 0.16.0 (registry+https://github.com/rust-lang/crates.io-index)",
"tempfile 3.1.0 (registry+https://github.com/rust-lang/crates.io-index)", "tempfile 3.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"thread-local-object 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)", "thread-local-object 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"webpki 0.21.0 (registry+https://github.com/rust-lang/crates.io-index)",
"webpki-roots 0.18.0 (registry+https://github.com/rust-lang/crates.io-index)", "webpki-roots 0.18.0 (registry+https://github.com/rust-lang/crates.io-index)",
] ]

1
Cargo.toml
View File

@@ -53,6 +53,7 @@ sanitize-filename = "0.2.1"
stop-token = { version = "0.1.1", features = ["unstable"] } stop-token = { version = "0.1.1", features = ["unstable"] }
rustls = "0.16.0" rustls = "0.16.0"
webpki-roots = "0.18.0" webpki-roots = "0.18.0"
webpki = "0.21.0"
[dev-dependencies] [dev-dependencies]
tempfile = "3.0" tempfile = "3.0"

7
src/imap_client.rs
View File

@@ -8,7 +8,7 @@ use async_std::net::{self, TcpStream};
use async_std::prelude::*; use async_std::prelude::*;
use async_tls::client::TlsStream; use async_tls::client::TlsStream;
use crate::login_param::CertificateChecks; use crate::login_param::{dc_build_tls, CertificateChecks};
const DCC_IMAP_DEBUG: &str = "DCC_IMAP_DEBUG"; const DCC_IMAP_DEBUG: &str = "DCC_IMAP_DEBUG";
@@ -34,11 +34,10 @@ impl Client {
pub async fn connect_secure<A: net::ToSocketAddrs, S: AsRef<str>>( pub async fn connect_secure<A: net::ToSocketAddrs, S: AsRef<str>>(
addr: A, addr: A,
domain: S, domain: S,
_certificate_checks: CertificateChecks, certificate_checks: CertificateChecks,
) -> ImapResult<Self> { ) -> ImapResult<Self> {
let stream = TcpStream::connect(addr).await?; let stream = TcpStream::connect(addr).await?;
let tls = async_tls::TlsConnector::new(); let tls = dc_build_tls(certificate_checks);
let tls_stream = tls.connect(domain.as_ref(), stream)?.await?; let tls_stream = tls.connect(domain.as_ref(), stream)?.await?;
let mut client = ImapClient::new(tls_stream); let mut client = ImapClient::new(tls_stream);

66
src/login_param.rs
View File

@@ -3,6 +3,10 @@ use std::fmt;
use crate::context::Context; use crate::context::Context;
use crate::error::Error; use crate::error::Error;
use async_std::sync::Arc;
use async_tls;
use rustls;
use webpki;
#[derive(Copy, Clone, Debug, Display, FromPrimitive)] #[derive(Copy, Clone, Debug, Display, FromPrimitive)]
#[repr(i32)] #[repr(i32)]
@@ -251,28 +255,46 @@ fn get_readable_flags(flags: i32) -> String {
res res
} }
// pub fn dc_build_tls( pub struct NoCertificateVerification {}
// certificate_checks: CertificateChecks,
// ) -> Result<native_tls::TlsConnector, native_tls::Error> { impl rustls::ServerCertVerifier for NoCertificateVerification {
// let mut tls_builder = native_tls::TlsConnector::builder(); fn verify_server_cert(
// match certificate_checks { &self,
// CertificateChecks::Automatic => { _roots: &rustls::RootCertStore,
// // Same as AcceptInvalidCertificates for now. _presented_certs: &[rustls::Certificate],
// // TODO: use provider database when it becomes available _dns_name: webpki::DNSNameRef<'_>,
// tls_builder _ocsp: &[u8],
// .danger_accept_invalid_hostnames(true) ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
// .danger_accept_invalid_certs(true) Ok(rustls::ServerCertVerified::assertion())
// } }
// CertificateChecks::Strict => &mut tls_builder, }
// CertificateChecks::AcceptInvalidHostnames => {
// tls_builder.danger_accept_invalid_hostnames(true) pub fn dc_build_tls(certificate_checks: CertificateChecks) -> async_tls::TlsConnector {
// } let mut config = rustls::ClientConfig::new();
// CertificateChecks::AcceptInvalidCertificates => tls_builder match certificate_checks {
// .danger_accept_invalid_hostnames(true) CertificateChecks::Strict => {}
// .danger_accept_invalid_certs(true), CertificateChecks::Automatic => {
// } // Same as AcceptInvalidCertificates for now.
// .build() // TODO: use provider database when it becomes available
// } config
.dangerous()
.set_certificate_verifier(Arc::new(NoCertificateVerification {}));
}
CertificateChecks::AcceptInvalidCertificates => {
// TODO: only accept invalid certs
config
.dangerous()
.set_certificate_verifier(Arc::new(NoCertificateVerification {}));
}
CertificateChecks::AcceptInvalidHostnames => {
// TODO: only accept invalid hostnames
config
.dangerous()
.set_certificate_verifier(Arc::new(NoCertificateVerification {}));
}
}
Arc::new(config).into()
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {