Feature/validate cert (#3)

hlhr202 · web-flow · commit cc27490f5b97 · 2024-03-25T11:49:25.000+08:00
* feat: impl naive cert validation

* feat: impl allow insecure ssl cert in frontend
diff --git a/crates/openconnect-core/Cargo.toml b/crates/openconnect-core/Cargo.toml
@@ -32,3 +32,6 @@ chacha20poly1305 = { workspace = true }
 [target.'cfg(windows)'.dependencies]
 windows-sys = { workspace = true }
 windows = { workspace = true }
+
+[[example]]
+name = "password_server"
diff --git a/crates/openconnect-core/examples/password_server.rs b/crates/openconnect-core/examples/password_server.rs
@@ -24,6 +24,7 @@ fn main() -> anyhow::Result<()> {
         .password(&env::var("VPN_PASSWORD").unwrap())
         .protocol(protocol)
         .enable_udp(true)
+        .accept_insecure_cert(true)
         .build()?;
 
     client.connect(entrypoint)?;
diff --git a/crates/openconnect-core/src/cert.rs b/crates/openconnect-core/src/cert.rs
@@ -1,41 +1,65 @@
 use crate::VpnClient;
 use openconnect_sys::*;
+use std::ffi::{CStr, CString};
 
-pub static mut ACCEPTED_CERTS: *mut AcceptedCert = std::ptr::null_mut();
-
+#[derive(Debug, PartialEq, Eq)]
 pub struct AcceptedCert {
-    next: *mut AcceptedCert,
-    fingerprint: *mut ::std::os::raw::c_char,
-    host: *const ::std::os::raw::c_char,
-    port: i32,
+    pub fingerprint: String,
+    pub host: Option<String>,
+    pub port: i32,
+}
+
+#[derive(Debug, Default)]
+pub struct OpenSSLCert {
+    pub accepted_certs: Vec<AcceptedCert>,
 }
 
 pub extern "C" fn validate_peer_cert(
     _privdata: *mut ::std::os::raw::c_void,
     _reason: *const ::std::os::raw::c_char,
 ) -> ::std::os::raw::c_int {
     let ctx = VpnClient::from_c_void(_privdata);
+    let openssl_cert = unsafe { &mut (*ctx).certs.accepted_certs };
 
     unsafe {
         let vpninfo = (*ctx).vpninfo;
-        let _fingerprint = openconnect_get_peer_cert_hash(vpninfo);
-        let mut this = ACCEPTED_CERTS;
+        let host = (*ctx).get_hostname();
+        let port = (*ctx).get_port();
+        let peer_fingerprint = openconnect_get_peer_cert_hash(vpninfo);
 
-        while !this.is_null() {
-            if (!(*this).host.is_null() || (*this).host == openconnect_get_hostname(vpninfo))
-                && ((*this).port == 0 || (*this).port == openconnect_get_port(vpninfo))
-            {
-                let err = openconnect_check_peer_cert_hash(vpninfo, (*this).fingerprint);
+        for cert in openssl_cert.iter_mut().rev() {
+            if (host.is_none() || cert.host == host) && (port == 0 || cert.port == port) {
+                let fingerprint_in_cstr =
+                    CString::new(cert.fingerprint.as_str()).expect("Invalid fingerprint");
+                let err = openconnect_check_peer_cert_hash(vpninfo, fingerprint_in_cstr.as_ptr());
                 if err == 0 {
                     return 0;
                 }
                 if err < 0 {
-                    println!("Certificate hash check failed");
+                    // TODO: log error
+                    println!("Could not check peer cert hash: {}", cert.fingerprint);
                 }
             }
-            this = (*this).next;
         }
-    }
 
-    0
+        // SAFETY: we should not use CString::from_raw(peer_fingerprint)
+        // because peer_fingerprint will be deallocated in rust and cause a double free
+        let fingerprint = CStr::from_ptr(peer_fingerprint)
+            .to_string_lossy()
+            .to_string();
+
+        if (*ctx).handle_accept_insecure_cert(&fingerprint) {
+            let newcert = AcceptedCert {
+                fingerprint,
+                host,
+                port,
+            };
+            openssl_cert.push(newcert);
+            println!("User accepted insecure certificate");
+            0
+        } else {
+            println!("User rejected insecure certificate");
+            1
+        }
+    }
 }
diff --git a/crates/openconnect-core/src/config.rs b/crates/openconnect-core/src/config.rs
@@ -79,6 +79,7 @@ pub struct Entrypoint {
     pub protocol: Protocol,
     pub cookie: Option<String>,
     pub enable_udp: bool,
+    pub accept_insecure_cert: bool,
 }
 
 pub struct EntrypointBuilder {
@@ -89,6 +90,7 @@ pub struct EntrypointBuilder {
     protocol: Option<Protocol>,
     cookie: Option<String>,
     enable_udp: bool,
+    accept_insecure_cert: Option<bool>,
 }
 
 impl EntrypointBuilder {
@@ -101,6 +103,7 @@ impl EntrypointBuilder {
             protocol: None,
             cookie: None,
             enable_udp: true,
+            accept_insecure_cert: None,
         }
     }
 
@@ -139,6 +142,11 @@ impl EntrypointBuilder {
         self
     }
 
+    pub fn accept_insecure_cert(&mut self, accept_insecure_cert: bool) -> &mut Self {
+        self.accept_insecure_cert = Some(accept_insecure_cert);
+        self
+    }
+
     pub fn build(&self) -> OpenconnectResult<Entrypoint> {
         let server = self
             .server
@@ -160,6 +168,7 @@ impl EntrypointBuilder {
             protocol,
             cookie: self.cookie.clone(),
             enable_udp: self.enable_udp,
+            accept_insecure_cert: self.accept_insecure_cert.unwrap_or(false),
         })
     }
 }
diff --git a/crates/openconnect-core/src/events.rs b/crates/openconnect-core/src/events.rs
@@ -1,15 +1,18 @@
 use crate::{result::OpenconnectError, Status};
 use std::sync::Arc;
 
+#[allow(clippy::type_complexity)]
 #[derive(Clone)]
 pub struct EventHandlers {
     pub(crate) handle_connection_state_change: Option<Arc<dyn Fn(Status)>>,
+    pub(crate) handle_peer_cert_invalid: Option<Arc<dyn Fn(&str) -> bool>>,
 }
 
 impl EventHandlers {
     pub fn new() -> Self {
         Self {
             handle_connection_state_change: None,
+            handle_peer_cert_invalid: None,
         }
     }
 
@@ -21,6 +24,15 @@ impl EventHandlers {
         self.handle_connection_state_change = Some(Arc::new(handler));
         self
     }
+
+    pub fn with_handle_peer_cert_invalid<F>(mut self, handler: F) -> Self
+    where
+        F: Fn(&str) -> bool,
+        F: Send + 'static,
+    {
+        self.handle_peer_cert_invalid = Some(Arc::new(handler));
+        self
+    }
 }
 
 impl Default for EventHandlers {
diff --git a/crates/openconnect-core/src/lib.rs b/crates/openconnect-core/src/lib.rs
@@ -12,6 +12,7 @@ pub mod storage;
 #[cfg(target_os = "macos")]
 pub use openconnect_sys::helper_reluanch_as_root;
 
+use cert::OpenSSLCert;
 use config::{Config, Entrypoint, LogLevel};
 use events::{EventHandlers, Events};
 use form::FormContext;
@@ -46,6 +47,7 @@ pub struct VpnClient {
     callbacks: EventHandlers,
     entrypoint: RwLock<Option<Entrypoint>>,
     form_context: FormContext,
+    certs: OpenSSLCert,
 }
 
 unsafe impl Send for VpnClient {}
@@ -71,13 +73,13 @@ impl VpnClient {
         }
     }
 
-    pub(crate) extern "C" fn validate_peer_cert(
-        _privdata: *mut ::std::os::raw::c_void,
-        _reason: *const ::std::os::raw::c_char,
-    ) -> ::std::os::raw::c_int {
-        println!("validate_peer_cert");
-        0
-    }
+    // pub(crate) extern "C" fn validate_peer_cert(
+    //     _privdata: *mut ::std::os::raw::c_void,
+    //     _reason: *const ::std::os::raw::c_char,
+    // ) -> ::std::os::raw::c_int {
+    //     println!("validate_peer_cert");
+    //     0
+    // }
 
     pub(crate) extern "C" fn default_setup_tun_vfn(privdata: *mut ::std::os::raw::c_void) {
         let client = VpnClient::from_c_void(privdata);
@@ -155,6 +157,30 @@ impl VpnClient {
         println!("stats: {:?}, {:?}", dlts, stats);
     }
 
+    pub(crate) fn handle_accept_insecure_cert(&self, fingerprint: &str) -> bool {
+        let entrypoint = self.entrypoint.read();
+        let accept_in_entrypoint_config = {
+            if let Ok(entrypoint) = entrypoint {
+                (*entrypoint)
+                    .as_ref()
+                    .map(|entrypoint| entrypoint.accept_insecure_cert)
+                    .unwrap_or(false)
+            } else {
+                false
+            }
+        };
+
+        if accept_in_entrypoint_config {
+            return true;
+        }
+
+        if let Some(ref handler) = self.callbacks.handle_peer_cert_invalid {
+            handler(fingerprint)
+        } else {
+            false
+        }
+    }
+
     pub fn set_loglevel(&self, level: LogLevel) {
         unsafe {
             openconnect_set_loglevel(self.vpninfo, level as i32);
@@ -408,6 +434,7 @@ impl Connectable for VpnClient {
             callbacks,
             entrypoint: RwLock::new(None),
             form_context: FormContext::default(),
+            certs: OpenSSLCert::default(),
         });
 
         let instance = Arc::into_raw(instance) as *mut VpnClient; // dangerous, leak for assign to vpninfo
@@ -423,7 +450,7 @@ impl Connectable for VpnClient {
 
             let vpninfo = openconnect_vpninfo_new(
                 useragent.as_ptr(),
-                Some(Self::validate_peer_cert),
+                Some(cert::validate_peer_cert),
                 None,
                 Some(FormContext::process_auth_form_cb),
                 Some(helper_format_vargs), // format args on C side
diff --git a/crates/openconnect-core/src/storage.rs b/crates/openconnect-core/src/storage.rs
@@ -78,6 +78,7 @@ pub struct OidcServer {
     pub issuer: String,
     pub client_id: String,
     pub client_secret: Option<String>,
+    pub allow_insecure: Option<bool>,
     pub updated_at: Option<String>,
 }
 
@@ -88,6 +89,7 @@ pub struct PasswordServer {
     pub server: String,
     pub username: String,
     pub password: Option<String>,
+    pub allow_insecure: Option<bool>,
     pub updated_at: Option<String>,
 }
 
@@ -102,6 +104,7 @@ impl PasswordServer {
             server: self.server.clone(),
             username: self.username.clone(),
             password,
+            allow_insecure: self.allow_insecure,
             updated_at: self.updated_at.clone(),
         }
     }
@@ -116,6 +119,7 @@ impl PasswordServer {
             server: self.server.clone(),
             username: self.username.clone(),
             password,
+            allow_insecure: self.allow_insecure,
             updated_at: self.updated_at.clone(),
         }
     }
@@ -381,6 +385,7 @@ async fn test_save_config() {
         issuer: "https://example.com".to_string(),
         client_id: "client_id".to_string(),
         client_secret: Some("client_secret".to_string()),
+        allow_insecure: Some(true),
         updated_at: None,
     });
 
@@ -411,6 +416,7 @@ async fn test_config_type() {
         issuer: "https://example.com".to_string(),
         client_id: "client_id".to_string(),
         client_secret: None,
+        allow_insecure: Some(true),
         updated_at: None,
     });
 
@@ -425,6 +431,7 @@ async fn test_config_type() {
         server: "https://example.com".to_string(),
         username: "username".to_string(),
         password: Some("password".to_string()),
+        allow_insecure: Some(true),
         updated_at: None,
     });
 
diff --git a/crates/openconnect-gui/src-tauri/src/state.rs b/crates/openconnect-gui/src-tauri/src/state.rs
diff --git a/crates/openconnect-gui/src/ServerEditor.tsx b/crates/openconnect-gui/src/ServerEditor.tsx
diff --git a/crates/openconnect-gui/src/state.ts b/crates/openconnect-gui/src/state.ts

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ pub struct Entrypoint {`
`79`	`79`	`pub protocol: Protocol,`
`80`	`80`	`pub cookie: Option<String>,`
`81`	`81`	`pub enable_udp: bool,`
	`82`	`+ pub accept_insecure_cert: bool,`
`82`	`83`	`}`
`83`	`84`
`84`	`85`	`pub struct EntrypointBuilder {`
`@@ -89,6 +90,7 @@ pub struct EntrypointBuilder {`
`89`	`90`	`protocol: Option<Protocol>,`
`90`	`91`	`cookie: Option<String>,`
`91`	`92`	`enable_udp: bool,`
	`93`	`+ accept_insecure_cert: Option<bool>,`
`92`	`94`	`}`
`93`	`95`
`94`	`96`	`impl EntrypointBuilder {`
`@@ -101,6 +103,7 @@ impl EntrypointBuilder {`
`101`	`103`	`protocol: None,`
`102`	`104`	`cookie: None,`
`103`	`105`	`enable_udp: true,`
	`106`	`+ accept_insecure_cert: None,`
`104`	`107`	`}`
`105`	`108`	`}`
`106`	`109`
`@@ -139,6 +142,11 @@ impl EntrypointBuilder {`
`139`	`142`	`self`
`140`	`143`	`}`
`141`	`144`
	`145`	`+ pub fn accept_insecure_cert(&mut self, accept_insecure_cert: bool) -> &mut Self {`
	`146`	`+ self.accept_insecure_cert = Some(accept_insecure_cert);`
	`147`	`+ self`
	`148`	`+ }`
	`149`	`+`
`142`	`150`	`pub fn build(&self) -> OpenconnectResult<Entrypoint> {`
`143`	`151`	`let server = self`
`144`	`152`	`.server`
`@@ -160,6 +168,7 @@ impl EntrypointBuilder {`
`160`	`168`	`protocol,`
`161`	`169`	`cookie: self.cookie.clone(),`
`162`	`170`	`enable_udp: self.enable_udp,`
	`171`	`+ accept_insecure_cert: self.accept_insecure_cert.unwrap_or(false),`
`163`	`172`	`})`
`164`	`173`	`}`
`165`	`174`	`}`