Merge pull request #1028 from sozu-proxy/devel/fdubois/fix/tls

fix(tls): certificate replacement and remove is still-in-use security
sozu-proxy · Nov 15, 2023 · cfe32cc · cfe32cc
2 parents 7f46b73 + cc12789
commit cfe32cc
Show file tree

Hide file tree

Showing 6 changed files with 104 additions and 103 deletions.
diff --git a/command/src/certificate.rs b/command/src/certificate.rs
@@ -1,6 +1,6 @@
 use std::{collections::HashSet, fmt, str::FromStr};
 
-use hex::FromHex;
+use hex::{FromHex, FromHexError};
 use serde::de::{self, Visitor};
 use sha2::{Digest, Sha256};
 use x509_parser::{
@@ -22,6 +22,8 @@ pub enum CertificateError {
     InvalidCertificate(String),
     #[error("failed to parse tls version '{0}'")]
     InvalidTlsVersion(String),
+    #[error("failed to parse fingerprint, {0}")]
+    InvalidFingerprint(FromHexError),
 }
 
 // -----------------------------------------------------------------------------
@@ -101,6 +103,16 @@ impl FromStr for TlsVersion {
 #[derive(Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
 pub struct Fingerprint(pub Vec<u8>);
 
+impl FromStr for Fingerprint {
+    type Err = CertificateError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        hex::decode(s)
+            .map_err(CertificateError::InvalidFingerprint)
+            .map(Fingerprint)
+    }
+}
+
 impl fmt::Debug for Fingerprint {
     fn fmt(&self, f: &mut fmt::Formatter) -> Result<(), fmt::Error> {
         write!(f, "CertificateFingerprint({})", hex::encode(&self.0))

diff --git a/lib/src/https.rs b/lib/src/https.rs
@@ -62,7 +62,7 @@ use crate::{
     server::{ListenSession, ListenToken, ProxyChannel, Server, SessionManager, SessionToken},
     socket::{server_bind, FrontRustls},
     timer::TimeoutContainer,
-    tls::{MutexWrappedCertificateResolver, ResolveCertificate, StoredCertificate},
+    tls::{CertifiedKeyWrapper, MutexWrappedCertificateResolver, ResolveCertificate},
     util::UnwrapLog,
     AcceptError, CachedTags, FrontendFromRequestError, L7ListenerHandler, L7Proxy, ListenerError,
     ListenerHandler, Protocol, ProxyConfiguration, ProxyError, ProxySession, SessionIsToBeClosed,
@@ -600,7 +600,7 @@ impl L7ListenerHandler for HttpsListener {
 impl ResolveCertificate for HttpsListener {
     type Error = ListenerError;
 
-    fn get_certificate(&self, fingerprint: &Fingerprint) -> Option<StoredCertificate> {
+    fn get_certificate(&self, fingerprint: &Fingerprint) -> Option<CertifiedKeyWrapper> {
         let resolver = self
             .resolver
             .0

diff --git a/lib/src/router/trie.rs b/lib/src/router/trie.rs
@@ -21,6 +21,7 @@ fn find_last_dot(input: &[u8]) -> Option<usize> {
     (0..input.len()).rev().find(|&i| input[i] == b'.')
 }
 
+/// A custom implementation of the [Trie data structure](https://www.wikiwand.com/en/Trie)
 #[derive(Debug, PartialEq)]
 pub struct TrieNode<V> {
     key_value: Option<KeyValue<Key, V>>,