tuxmain/rust-rpxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deps and refactor

Browse source
This commit is contained in:
Jun Kurihara 2022-10-11 15:35:46 +09:00
commit 62fe6a0b49
No known key found for this signature in database
GPG key ID: 48ADFD173ED22B03
3 changed files with 37 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
h3

@ -1 +1 @@
Subproject commit 90ef1f7183640f3bc0779fd598e4dd0b621d0753 Subproject commit 720da6d652c41a5ac2b56c9bf602b756bd0032d3

2
src/backend/mod.rs
View file

@ -110,7 +110,7 @@ impl Backend {
} }
fn read_client_ca_certs(&self) -> io::Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>)> { fn read_client_ca_certs(&self) -> io::Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>)> {
debug!("Read CA certificate for client authentication"); debug!("Read CA certificates for client authentication");
// Reads client certificate and returns client // Reads client certificate and returns client
let client_ca_cert_path = { let client_ca_cert_path = {
if let Some(c) = self.client_ca_cert_path.as_ref() { if let Some(c) = self.client_ca_cert_path.as_ref() {

37
src/proxy/proxy_client_cert.rs
View file

@ -9,11 +9,29 @@ pub(super) fn check_client_authentication(
client_certs: Option<&[Certificate]>, client_certs: Option<&[Certificate]>,
client_certs_setting_for_sni: Option<&HashSet<Vec<u8>>>, client_certs_setting_for_sni: Option<&HashSet<Vec<u8>>>,
) -> Result<()> { ) -> Result<()> {
if let Some(client_ca_keyids_set) = client_certs_setting_for_sni { let client_ca_keyids_set = match client_certs_setting_for_sni {
if let Some(client_certs) = client_certs { Some(c) => c,
debug!("Incoming TLS client is (temporarily) authenticated via client cert"); None => {
// Check client certificate key ids // No client cert settings for given server name
return Ok(());
}
};
let client_certs = match client_certs {
Some(c) => {
debug!("Incoming TLS client is (temporarily) authenticated via client cert");
c
}
None => {
// TODO: return 403 here
error!("Client certificate is needed for given server name");
return Err(RpxyError::Proxy(
"Client certificate is needed for given server name".to_string(),
));
}
};
// Check client certificate key ids
let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok()); let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| { let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
let mut filtered = c.1.iter_extensions().filter_map(|e| { let mut filtered = c.1.iter_extensions().filter_map(|e| {
@ -23,9 +41,9 @@ pub(super) fn check_client_authentication(
None None
} }
}); });
filtered.any(|id| client_ca_keyids_set.contains(id.0)) filtered.any(|id| client_ca_keyids_set.contains(id.0))
}); });
if !match_server_crypto_and_client_cert { if !match_server_crypto_and_client_cert {
// TODO: return 403 here // TODO: return 403 here
error!("Inconsistent client certificate for given server name"); error!("Inconsistent client certificate for given server name");
@ -33,13 +51,6 @@ pub(super) fn check_client_authentication(
"Inconsistent client certificate for given server name".to_string(), "Inconsistent client certificate for given server name".to_string(),
)); ));
} }
} else {
// TODO: return 403 here
error!("Client certificate is needed for given server name");
return Err(RpxyError::Proxy(
"Client certificate is needed for given server name".to_string(),
));
}
}
Ok(()) Ok(())
} }