Merge branch 'tls-name' into 'master'

Validate TLS certificates according to Matrix spec See merge request famedly/conduit!60
2021-04-23 05:22:07 +00:00 · 2021-04-23 05:22:07 +00:00 · 8c72909bb8
commit 8c72909bb8
parent 14c7ecf722 ed253e236c
5 changed files with 221 additions and 198 deletions
--- a/src/database/globals.rs
+++ b/src/database/globals.rs
@ -1,9 +1,10 @@
 use crate::{database::Config, utils, Error, Result};
-use log::error;
+use log::{error, info};
 use ruma::{
    api::federation::discovery::{ServerSigningKeys, VerifyKey},
    ServerName, ServerSigningKeyId,
 };
+use rustls::{ServerCertVerifier, WebPKIVerifier};
 use std::{
    collections::{BTreeMap, HashMap},
    sync::{Arc, RwLock},
@ -14,9 +15,11 @@ use trust_dns_resolver::TokioAsyncResolver;
 pub const COUNTER: &str = "c";

 type WellKnownMap = HashMap<Box<ServerName>, (String, String)>;
+type TlsNameMap = HashMap<String, webpki::DNSName>;
 #[derive(Clone)]
 pub struct Globals {
    pub actual_destination_cache: Arc<RwLock<WellKnownMap>>, // actual_destination, host
+    pub tls_name_override: Arc<RwLock<TlsNameMap>>,
    pub(super) globals: sled::Tree,
    config: Config,
    keypair: Arc<ruma::signatures::Ed25519KeyPair>,
@ -26,6 +29,36 @@ pub struct Globals {
    pub(super) servertimeout_signingkey: sled::Tree, // ServerName + Timeout Timestamp -> algorithm:key + pubkey
 }

+struct MatrixServerVerifier {
+    inner: WebPKIVerifier,
+    tls_name_override: Arc<RwLock<TlsNameMap>>,
+}
+
+impl ServerCertVerifier for MatrixServerVerifier {
+    fn verify_server_cert(
+        &self,
+        roots: &rustls::RootCertStore,
+        presented_certs: &[rustls::Certificate],
+        dns_name: webpki::DNSNameRef<'_>,
+        ocsp_response: &[u8],
+    ) -> std::result::Result<rustls::ServerCertVerified, rustls::TLSError> {
+        if let Some(override_name) = self.tls_name_override.read().unwrap().get(dns_name.into()) {
+            let result = self.inner.verify_server_cert(
+                roots,
+                presented_certs,
+                override_name.as_ref(),
+                ocsp_response,
+            );
+            if result.is_ok() {
+                return result;
+            }
+            info!("Server {:?} is non-compliant, retrying TLS verification with original name", dns_name);
+        }
+        self.inner
+            .verify_server_cert(roots, presented_certs, dns_name, ocsp_response)
+    }
+}
+
 impl Globals {
    pub fn load(
        globals: sled::Tree,
@ -66,10 +99,21 @@ impl Globals {
            }
        };

+        let tls_name_override = Arc::new(RwLock::new(TlsNameMap::new()));
+        let verifier = Arc::new(MatrixServerVerifier {
+            inner: WebPKIVerifier::new(),
+            tls_name_override: tls_name_override.clone(),
+        });
+        let mut tlsconfig = rustls::ClientConfig::new();
+        tlsconfig.dangerous().set_certificate_verifier(verifier);
+        tlsconfig.root_store =
+            rustls_native_certs::load_native_certs().expect("Error loading system certificates");
+
        let reqwest_client = reqwest::Client::builder()
            .connect_timeout(Duration::from_secs(30))
            .timeout(Duration::from_secs(60 * 3))
            .pool_max_idle_per_host(1)
+            .use_preconfigured_tls(tlsconfig)
            .build()
            .unwrap();

@ -86,7 +130,8 @@ impl Globals {
            dns_resolver: TokioAsyncResolver::tokio_from_system_conf().map_err(|_| {
                Error::bad_config("Failed to set up trust dns resolver with system config.")
            })?,
-            actual_destination_cache: Arc::new(RwLock::new(HashMap::new())),
+            actual_destination_cache: Arc::new(RwLock::new(WellKnownMap::new())),
+            tls_name_override,
            servertimeout_signingkey,
            jwt_decoding_key,
        })