Can specify custom server root certificate for client

This commit is contained in:
Pierre HUBERT 2022-08-31 10:59:07 +02:00
parent 3b2866fa6a
commit 723ed5e390
5 changed files with 128 additions and 20 deletions

1
.gitignore vendored
View File

@ -2,3 +2,4 @@ target
.idea .idea
*.crt *.crt
*.key *.key
pki

41
Cargo.lock generated
View File

@ -837,6 +837,21 @@ dependencies = [
"want", "want",
] ]
[[package]]
name = "hyper-rustls"
version = "0.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac"
dependencies = [
"http",
"hyper",
"log",
"rustls",
"rustls-native-certs",
"tokio",
"tokio-rustls",
]
[[package]] [[package]]
name = "hyper-tls" name = "hyper-tls"
version = "0.5.0" version = "0.5.0"
@ -1279,6 +1294,7 @@ dependencies = [
"http", "http",
"http-body", "http-body",
"hyper", "hyper",
"hyper-rustls",
"hyper-tls", "hyper-tls",
"ipnet", "ipnet",
"js-sys", "js-sys",
@ -1288,16 +1304,20 @@ dependencies = [
"native-tls", "native-tls",
"percent-encoding", "percent-encoding",
"pin-project-lite", "pin-project-lite",
"rustls",
"rustls-pemfile",
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
"tokio", "tokio",
"tokio-native-tls", "tokio-native-tls",
"tokio-rustls",
"tower-service", "tower-service",
"url", "url",
"wasm-bindgen", "wasm-bindgen",
"wasm-bindgen-futures", "wasm-bindgen-futures",
"web-sys", "web-sys",
"webpki-roots",
"winreg", "winreg",
] ]
@ -1337,6 +1357,18 @@ dependencies = [
"webpki", "webpki",
] ]
[[package]]
name = "rustls-native-certs"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50"
dependencies = [
"openssl-probe",
"rustls-pemfile",
"schannel",
"security-framework",
]
[[package]] [[package]]
name = "rustls-pemfile" name = "rustls-pemfile"
version = "1.0.1" version = "1.0.1"
@ -1537,8 +1569,11 @@ dependencies = [
"clap", "clap",
"env_logger", "env_logger",
"futures", "futures",
"hyper-rustls",
"log", "log",
"reqwest", "reqwest",
"rustls",
"rustls-pemfile",
"tokio", "tokio",
"tokio-tungstenite", "tokio-tungstenite",
"urlencoding", "urlencoding",
@ -1706,8 +1741,12 @@ checksum = "f714dd15bead90401d77e04243611caec13726c2408afd5b31901dfcdcb3b181"
dependencies = [ dependencies = [
"futures-util", "futures-util",
"log", "log",
"rustls",
"rustls-native-certs",
"tokio", "tokio",
"tokio-rustls",
"tungstenite", "tungstenite",
"webpki",
] ]
[[package]] [[package]]
@ -1770,10 +1809,12 @@ dependencies = [
"httparse", "httparse",
"log", "log",
"rand", "rand",
"rustls",
"sha-1", "sha-1",
"thiserror", "thiserror",
"url", "url",
"utf-8", "utf-8",
"webpki",
] ]
[[package]] [[package]]

View File

@ -8,8 +8,11 @@ base = { path = "../base" }
clap = { version = "3.2.18", features = ["derive", "env"] } clap = { version = "3.2.18", features = ["derive", "env"] }
log = "0.4.17" log = "0.4.17"
env_logger = "0.9.0" env_logger = "0.9.0"
reqwest = { version = "0.11", features = ["json"] } reqwest = { version = "0.11", features = ["json", "rustls-tls"] }
tokio = { version = "1", features = ["full"] } tokio = { version = "1", features = ["full"] }
futures = "0.3.24" futures = "0.3.24"
tokio-tungstenite = "0.17.2" tokio-tungstenite = { version = "0.17.2", features = ["__rustls-tls", "rustls-tls-native-roots"] }
urlencoding = "2.1.0" urlencoding = "2.1.0"
rustls = { version = "0.20.6" }
hyper-rustls = { version = "0.23.0", features = ["rustls-native-certs"] }
rustls-pemfile = { version = "1.0.1" }

View File

@ -1,7 +1,9 @@
use std::error::Error;
use std::sync::Arc; use std::sync::Arc;
use clap::Parser; use clap::Parser;
use futures::future::join_all; use futures::future::join_all;
use reqwest::Certificate;
use base::RemoteConfig; use base::RemoteConfig;
use tcp_relay_client::relay_client::relay_client; use tcp_relay_client::relay_client::relay_client;
@ -21,6 +23,35 @@ pub struct Args {
/// Listen address /// Listen address
#[clap(short, long, default_value = "127.0.0.1")] #[clap(short, long, default_value = "127.0.0.1")]
pub listen_address: String, pub listen_address: String,
/// Optional root certificate to use for server authentication
#[clap(short = 'c', long)]
pub root_certificate: Option<String>,
}
async fn get_server_config(config: &Args, root_cert: &Option<Vec<u8>>) -> Result<RemoteConfig, Box<dyn Error>> {
let url = format!("{}/config", config.relay_url);
log::info!("Retrieving configuration on {}", url);
let mut client = reqwest::Client::builder();
// Specify root certificate, if any was specified in the command line
if let Some(cert) = root_cert {
client = client.add_root_certificate(Certificate::from_pem(cert)?);
}
let client = client.build().expect("Failed to build reqwest client");
let req = client.get(url)
.header("Authorization", format!("Bearer {}", config.token))
.send()
.await?;
if req.status().as_u16() != 200 {
log::error!("Could not retrieve configuration! (got status {})", req.status());
std::process::exit(2);
}
Ok(req.json::<RemoteConfig>().await?)
} }
#[tokio::main] #[tokio::main]
@ -30,19 +61,11 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args: Args = Args::parse(); let args: Args = Args::parse();
let args = Arc::new(args); let args = Arc::new(args);
let root_cert = args.root_certificate.as_ref().map(|c| std::fs::read(c)
.expect("Failed to read root certificate!"));
// Get server relay configuration (fetch the list of port to forward) // Get server relay configuration (fetch the list of port to forward)
let url = format!("{}/config", args.relay_url); let conf = get_server_config(&args, &root_cert).await?;
log::info!("Retrieving configuration on {}", url);
let req = reqwest::Client::new().get(url)
.header("Authorization", format!("Bearer {}", args.token))
.send()
.await?;
if req.status().as_u16() != 200 {
log::error!("Could not retrieve configuration! (got status {})", req.status());
std::process::exit(2);
}
let conf = req.json::<RemoteConfig>()
.await?;
// Start to listen port // Start to listen port
let mut handles = vec![]; let mut handles = vec![];
@ -54,6 +77,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
args.relay_url, port.id, urlencoding::encode(&args.token)) args.relay_url, port.id, urlencoding::encode(&args.token))
.replace("http", "ws"), .replace("http", "ws"),
listen_address, listen_address,
root_cert.clone(),
)); ));
handles.push(h); handles.push(h);
} }

View File

@ -1,9 +1,14 @@
use std::io::Cursor;
use std::sync::Arc;
use futures::{SinkExt, StreamExt}; use futures::{SinkExt, StreamExt};
use hyper_rustls::ConfigBuilderExt;
use rustls::{Certificate, RootCertStore};
use tokio::io::{AsyncReadExt, AsyncWriteExt}; use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::{TcpListener, TcpStream}; use tokio::net::{TcpListener, TcpStream};
use tokio_tungstenite::tungstenite::Message; use tokio_tungstenite::tungstenite::Message;
pub async fn relay_client(ws_url: String, listen_address: String) { pub async fn relay_client(ws_url: String, listen_address: String, root_cert: Option<Vec<u8>>) {
log::info!("Start to listen on {}", listen_address); log::info!("Start to listen on {}", listen_address);
let listener = match TcpListener::bind(&listen_address).await { let listener = match TcpListener::bind(&listen_address).await {
Ok(l) => l, Ok(l) => l,
@ -17,7 +22,7 @@ pub async fn relay_client(ws_url: String, listen_address: String) {
let (socket, _) = listener.accept().await let (socket, _) = listener.accept().await
.expect("Failed to accept new connection!"); .expect("Failed to accept new connection!");
tokio::spawn(relay_connection(ws_url.clone(), socket)); tokio::spawn(relay_connection(ws_url.clone(), socket, root_cert.clone()));
} }
} }
@ -25,11 +30,45 @@ pub async fn relay_client(ws_url: String, listen_address: String) {
/// ///
/// WS read => TCP write /// WS read => TCP write
/// TCP read => WS write /// TCP read => WS write
async fn relay_connection(ws_url: String, socket: TcpStream) { async fn relay_connection(ws_url: String, socket: TcpStream, root_cert: Option<Vec<u8>>) {
log::debug!("Connecting to {}...", ws_url); log::debug!("Connecting to {}...", ws_url);
let ws_stream = if ws_url.starts_with("wss") {
let config = rustls::ClientConfig::builder()
.with_safe_defaults();
let config = match root_cert {
None => config.with_native_roots(),
Some(cert) => {
log::debug!("Using custom root certificates");
let mut store = RootCertStore::empty();
rustls_pemfile::certs(&mut Cursor::new(cert))
.expect("Failed to parse root certificates!")
.into_iter()
.map(Certificate)
.for_each(|c| store.add(&c).expect("Failed to add certificate to chain!"));
config.with_root_certificates(store)
}
};
let config = config.with_no_client_auth();
let connector = tokio_tungstenite::Connector::Rustls(Arc::new(config));
let (ws_stream, _) = tokio_tungstenite::connect_async_tls_with_config(
ws_url,
None,
Some(connector))
.await.expect("Failed to connect to server relay!");
ws_stream
} else {
let (ws_stream, _) = tokio_tungstenite::connect_async(ws_url) let (ws_stream, _) = tokio_tungstenite::connect_async(ws_url)
.await.expect("Failed to connect to server relay!"); .await.expect("Failed to connect to server relay!");
ws_stream
};
let (mut tcp_read, mut tcp_write) = socket.into_split(); let (mut tcp_read, mut tcp_write) = socket.into_split();
let (mut ws_write, mut ws_read) = let (mut ws_write, mut ws_read) =