fix certificate tampered

2025-05-13 06:20:02 -04:00 · 2024-09-07 13:34:30 -07:00 · 2024-09-07 13:34:30 -07:00 · 7c02aecc27
commit 7c02aecc27
parent 5aeea21d29
3 changed files with 106 additions and 31 deletions
--- a/client/src/stream_provider.rs
+++ b/client/src/stream_provider.rs
@ -2,7 +2,7 @@ use std::{io::ErrorKind, pin::Pin, sync::Arc, task::Poll};

 use cfg_if::cfg_if;
 use futures_rustls::{
-	rustls::{ClientConfig, RootCertStore},
+	rustls::{crypto::ring::default_provider, ClientConfig, RootCertStore},
 	TlsConnector,
 };
 use futures_util::{
@ -20,7 +20,11 @@ use wisp_mux::{
 	ClientMux, MuxStreamAsyncRW, MuxStreamIo, StreamType,
 };

-use crate::{console_log, utils::IgnoreCloseNotify, EpoxyClientOptions, EpoxyError};
+use crate::{
+	console_log,
+	utils::{IgnoreCloseNotify, NoCertificateVerification},
+	EpoxyClientOptions, EpoxyError,
+};

 pub type ProviderUnencryptedStream = MuxStreamIo;
 pub type ProviderUnencryptedAsyncRW = MuxStreamAsyncRW;
@ -60,27 +64,33 @@ impl StreamProvider {
 		wisp_generator: ProviderWispTransportGenerator,
 		options: &EpoxyClientOptions,
 	) -> Result<Self, EpoxyError> {
-		cfg_if! {
-			if #[cfg(feature = "full")] {
-				let pems: Result<Result<Vec<_>, webpki::Error>, std::io::Error> = options
-					.pem_files
-					.iter()
-					.flat_map(|x| {
-						rustls_pemfile::certs(&mut std::io::BufReader::new(x.as_bytes()))
-							.map(|x| x.map(|x| webpki::anchor_from_trusted_cert(&x).map(|x| x.to_owned())))
-							.collect::<Vec<_>>()
-					})
-					.collect();
-				let pems = pems.map_err(EpoxyError::Pemfile)??;
-				let certstore = RootCertStore::from_iter(pems.into_iter().chain(TLS_SERVER_ROOTS.iter().cloned()));
-			} else {
-				let certstore = RootCertStore::from_iter(TLS_SERVER_ROOTS.iter().cloned());
+		let client_config = if options.disable_certificate_validation {
+			ClientConfig::builder()
+				.dangerous()
+				.with_custom_certificate_verifier(Arc::new(NoCertificateVerification::new(
+					default_provider(),
+				)))
+		} else {
+			cfg_if! {
+				if #[cfg(feature = "full")] {
+					let pems: Result<Result<Vec<_>, webpki::Error>, std::io::Error> = options
+						.pem_files
+						.iter()
+						.flat_map(|x| {
+							rustls_pemfile::certs(&mut std::io::BufReader::new(x.as_bytes()))
+								.map(|x| x.map(|x| webpki::anchor_from_trusted_cert(&x).map(|x| x.to_owned())))
+								.collect::<Vec<_>>()
+						})
+						.collect();
+					let pems = pems.map_err(EpoxyError::Pemfile)??;
+					let certstore = RootCertStore::from_iter(pems.into_iter().chain(TLS_SERVER_ROOTS.iter().cloned()));
+				} else {
+					let certstore = RootCertStore::from_iter(TLS_SERVER_ROOTS.iter().cloned());
+				}
 			}
+			ClientConfig::builder().with_root_certificates(certstore)
 		}
-
-		let client_config = ClientConfig::builder()
-			.with_root_certificates(certstore)
-			.with_no_client_auth();
+		.with_no_client_auth();
 		let client_config = Arc::new(client_config);

 		Ok(Self {