mercuryworkshop-mirror/epoxy-tls
1
0
Fork 0
mirror of https://github.com/MercuryWorkshop/epoxy-tls.git synced 2025-05-13 06:20:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove disable cert verification because it panics

Browse source
This commit is contained in:
Toshit Chawda 2024-08-31 20:38:52 -07:00
parent 55e1ef92bf
commit f0293c53f1
No known key found for this signature in database
GPG key ID: 91480ED99E2B3D9D
4 changed files with 19 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

10
client/build.sh
View file

@ -23,10 +23,11 @@ else
WASMOPTFLAGS="" WASMOPTFLAGS=""
fi fi
mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm if [ "${RELEASE:-0}" = "1" ]; then
( mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
(
G="--generate-global-effects" G="--generate-global-effects"
time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory --traps-never-happen \ time wasm-opt $WASMOPTFLAGS --enable-threads --enable-bulk-memory \
out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \ out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm \
--converge \ --converge \
$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
@ -34,7 +35,8 @@ mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
$G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \ $G --abstract-type-refining $G --code-folding $G --const-hoisting $G --dae $G --flatten $G --dfo $G --merge-locals $G --merge-similar-functions --type-finalizing \
$G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \ $G --type-unfinalizing $G --type-ssa $G -O4 $G --flatten $G --rereloop $G -O4 $G -O4 $G --type-merging $G --type-finalizing $G -O4 \
$G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz $G --type-unfinalizing $G --type-ssa $G -Oz $G --flatten $G --rereloop $G -Oz $G -Oz $G --type-merging $G --type-finalizing $G -Oz
) )
fi
echo "[epx] wasm-opt finished" echo "[epx] wasm-opt finished"
# === js === # === js ===

4
client/src/lib.rs
View file

@ -194,7 +194,6 @@ pub struct EpoxyClientOptions {
pub redirect_limit: usize, pub redirect_limit: usize,
#[wasm_bindgen(getter_with_clone)] #[wasm_bindgen(getter_with_clone)]
pub user_agent: String, pub user_agent: String,
pub disable_certificate_validation: bool,
#[cfg(feature = "full")] #[cfg(feature = "full")]
#[wasm_bindgen(getter_with_clone)] #[wasm_bindgen(getter_with_clone)]
pub pem_files: Vec<String>, pub pem_files: Vec<String>,
@ -216,7 +215,6 @@ impl Default for EpoxyClientOptions {
websocket_protocols: Vec::new(), websocket_protocols: Vec::new(),
redirect_limit: 10, redirect_limit: 10,
user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36".to_string(), user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36".to_string(),
disable_certificate_validation: false,
#[cfg(feature = "full")] #[cfg(feature = "full")]
pem_files: Vec::new(), pem_files: Vec::new(),
} }
@ -350,7 +348,7 @@ impl EpoxyClient {
client, client,
redirect_limit: options.redirect_limit, redirect_limit: options.redirect_limit,
user_agent: options.user_agent, user_agent: options.user_agent,
certs_tampered: options.disable_certificate_validation || !options.pem_files.is_empty(), certs_tampered: !options.pem_files.is_empty(),
}) })
} }

13
client/src/stream_provider.rs
View file

@ -87,18 +87,9 @@ impl StreamProvider {
} }
} }
let client_config = if options.disable_certificate_validation { let client_config = ClientConfig::builder()
ClientConfig::builder()
.dangerous()
.with_custom_certificate_verifier(Arc::new(NoCertificateVerification(
default_provider(),
)))
.with_no_client_auth()
} else {
ClientConfig::builder()
.with_root_certificates(certstore) .with_root_certificates(certstore)
.with_no_client_auth() .with_no_client_auth();
};
let client_config = Arc::new(client_config); let client_config = Arc::new(client_config);
Ok(Self { Ok(Self {

65
client/src/utils.rs
View file

@ -6,21 +6,12 @@ use std::{
use async_trait::async_trait; use async_trait::async_trait;
use bytes::{buf::UninitSlice, BufMut, Bytes, BytesMut}; use bytes::{buf::UninitSlice, BufMut, Bytes, BytesMut};
use futures_rustls::{ use futures_rustls::TlsStream;
rustls::{
self,
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
DigitallySignedStruct,
},
TlsStream,
};
use futures_util::{ready, AsyncRead, AsyncWrite, Future, Stream, StreamExt, TryStreamExt}; use futures_util::{ready, AsyncRead, AsyncWrite, Future, Stream, StreamExt, TryStreamExt};
use http::{HeaderValue, Uri}; use http::{HeaderValue, Uri};
use hyper::{body::Body, rt::Executor}; use hyper::{body::Body, rt::Executor};
use js_sys::{Array, ArrayBuffer, JsString, Object, Uint8Array}; use js_sys::{Array, ArrayBuffer, JsString, Object, Uint8Array};
use pin_project_lite::pin_project; use pin_project_lite::pin_project;
use rustls_pki_types::{CertificateDer, ServerName, UnixTime};
use send_wrapper::SendWrapper; use send_wrapper::SendWrapper;
use wasm_bindgen::{prelude::*, JsCast, JsValue}; use wasm_bindgen::{prelude::*, JsCast, JsValue};
use wasm_bindgen_futures::JsFuture; use wasm_bindgen_futures::JsFuture;
@ -314,60 +305,6 @@ impl AsyncWrite for IgnoreCloseNotify {
} }
} }
#[derive(Debug)]
pub(crate) struct NoCertificateVerification(pub CryptoProvider);
impl NoCertificateVerification {
pub fn new(provider: CryptoProvider) -> Self {
Self(provider)
}
}
impl ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>],
_server_name: &ServerName<'_>,
_ocsp: &[u8],
_now: UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
Ok(rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls12_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
verify_tls13_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
self.0.signature_verification_algorithms.supported_schemes()
}
}
pub fn is_redirect(code: u16) -> bool { pub fn is_redirect(code: u16) -> bool {
[301, 302, 303, 307, 308].contains(&code) [301, 302, 303, 307, 308].contains(&code)
} }