1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

use rustls;
use rustls::{Session, ClientSession};

use std::io;
use std::io::prelude::*;
use std::net::TcpStream;


pub mod danger {
    use rustls;
    use sha2::{Sha256, Digest};
    use base64;
    use webpki;

    use crate::error::Error;

    pub struct PinnedCertificateVerification {}

    fn verify_fingerprint(trusted: &str, cert: &rustls::Certificate) -> Result<(), Error> {
        let idx = match trusted.find('-') {
            Some(idx) => idx,
            None => bail!("malformed fingerprint"),
        };

        let (algo, trusted_fp) = trusted.split_at(idx);

        let trusted_fp = base64::decode_config(&trusted_fp[1..], base64::URL_SAFE_NO_PAD).unwrap();

        let fingerprint = match algo {
            "SHA256" => {
                let mut h = Sha256::new();
                h.input(&cert.0);
                h.result().to_vec()
            },
            _ => bail!("unknown hash alog"),
        };

        if trusted_fp == fingerprint {
            Ok(())
        } else {
            Err("untrusted fingerprint".into())
        }
    }

    impl rustls::ServerCertVerifier for PinnedCertificateVerification {

        fn verify_server_cert(&self,
                              _roots: &rustls::RootCertStore,
                              presented_certs: &[rustls::Certificate],
                              dns_name: webpki::DNSNameRef,
                              _ocsp: &[u8]) -> Result<rustls::ServerCertVerified, rustls::TLSError> {

            for cert in presented_certs {
                if verify_fingerprint(dns_name.into(), &cert).is_ok() {
                    return Ok(rustls::ServerCertVerified::assertion());
                }
            }

            Err(rustls::TLSError::WebPKIError(webpki::Error::CertNotValidForName))
        }
    }
}


#[derive(Debug)]
pub struct OwnedTlsStream {
    pub sess: rustls::ClientSession,
    pub sock: TcpStream,
}

impl OwnedTlsStream {
    pub fn new(sess: ClientSession, sock: TcpStream) -> OwnedTlsStream {
        OwnedTlsStream { sess, sock }
    }

    fn complete_prior_io(&mut self) -> io::Result<()> {
        if self.sess.is_handshaking() {
            self.sess.complete_io(&mut self.sock)?;
        }

        if self.sess.wants_write() {
            self.sess.complete_io(&mut self.sock)?;
        }

        Ok(())
    }
}

impl Read for OwnedTlsStream {
    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
        self.complete_prior_io()?;

        if self.sess.wants_read() {
            self.sess.complete_io(&mut self.sock)?;
        }

        self.sess.read(buf)
    }
}

impl Write for OwnedTlsStream {
    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
        self.complete_prior_io()?;

        let len = self.sess.write(buf)?;
        self.sess.complete_io(&mut self.sock)?;
        Ok(len)
    }

    fn flush(&mut self) -> io::Result<()> {
        self.complete_prior_io()?;

        self.sess.flush()?;
        if self.sess.wants_write() {
            self.sess.complete_io(&mut self.sock)?;
        }
        Ok(())
    }
}