feat: verifyPeer now rejects if no client certificate provided

tegefaulkes · tegefaulkes · commit c0e645590cf5 · 2023-04-24T17:03:43.000+10:00
* Related #9 [ci skip]
diff --git a/index.d.ts b/index.d.ts
@@ -132,7 +132,7 @@ export function retry(scid: Uint8Array, dcid: Uint8Array, newScid: Uint8Array, t
 export function versionIsSupported(version: number): boolean
 export class Config {
   constructor()
-  static withBoringSslCtx(certPem?: Uint8Array | undefined | null, keyPem?: Uint8Array | undefined | null, supportedKeyAlgos?: string | undefined | null, caCertPem?: Uint8Array | undefined | null): Config
+  static withBoringSslCtx(certPem: Uint8Array | undefined | null, keyPem: Uint8Array | undefined | null, supportedKeyAlgos: string | undefined | null, caCertPem: Uint8Array | undefined | null, verifyPeer: boolean): Config
   loadCertChainFromPemFile(file: string): void
   loadPrivKeyFromPemFile(file: string): void
   loadVerifyLocationsFromFile(file: string): void
diff --git a/src/QUICConnection.ts b/src/QUICConnection.ts
@@ -47,6 +47,8 @@ class QUICConnection extends EventTarget {
   public readonly establishedP: Promise<void>;
   protected resolveEstablishedP: () => void;
   protected rejectEstablishedP: (reason?: any) => void;
+  public readonly handshakeP: Promise<void>;
+  protected resolveHandshakeP: () => void;
 
   protected logger: Logger;
   protected socket: QUICSocket;
@@ -224,6 +226,9 @@ class QUICConnection extends EventTarget {
     const { p: closedP, resolveP: resolveClosedP } = utils.promise();
     this.resolveCloseP = resolveClosedP;
     this.closedP = closedP;
+    const { p: handshakeP, resolveP: resolveHandshakeP } = utils.promise();
+    this.handshakeP = handshakeP;
+    this.resolveHandshakeP = resolveHandshakeP;
   }
 
   // Immediately call this after construction
@@ -262,6 +267,8 @@ class QUICConnection extends EventTarget {
     errorMessage?: string;
   } = {}) {
     this.logger.info(`Destroy ${this.constructor.name}`);
+    // Console.log(this.conn.localError())
+    // console.log(this.conn.peerError())
     for (const stream of this.streamMap.values()) {
       await stream.destroy();
     }
@@ -341,6 +348,7 @@ class QUICConnection extends EventTarget {
         this.logger.debug(`Did a recv ${data.byteLength}`);
         this.conn.recv(data, recvInfo);
       } catch (e) {
+        console.error(e);
         this.logger.error(e.message);
         // Depending on the exception, the `this.conn.recv`
         // may have automatically started closing the connection
@@ -415,6 +423,9 @@ class QUICConnection extends EventTarget {
       }
     } finally {
       this.logger.debug('RECV FINALLY');
+      this.logger.debug(
+        ` ________ ED: ${this.conn.isInEarlyData()} TO: ${this.conn.isTimedOut()} EST: ${this.conn.isEstablished()}`,
+      );
 
       // Set the timeout
       this.checkTimeout();
@@ -534,6 +545,9 @@ class QUICConnection extends EventTarget {
       }
     } finally {
       this.logger.debug('SEND FINALLY');
+      this.logger.debug(
+        ` ________ ED: ${this.conn.isInEarlyData()} TO: ${this.conn.isTimedOut()} EST: ${this.conn.isEstablished()}`,
+      );
       this.checkTimeout();
       this.logger.debug(
         `state are draining: ${this.conn.isDraining()}, closed: ${this.conn.isClosed()}`,
diff --git a/src/config.ts b/src/config.ts
@@ -94,6 +94,7 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
     privKeyPem,
     config.supportedPrivateKeyAlgos ?? null,
     config.verifyPem != null ? Buffer.from(config.verifyPem) : null,
+    config.verifyPeer,
   );
   if (config.tlsConfig != null && 'certChainFromPemFile' in config.tlsConfig) {
     if (config.tlsConfig?.certChainFromPemFile != null) {
@@ -114,8 +115,6 @@ function buildQuicheConfig(config: QUICConfig): QuicheConfig {
   if (config.enableEarlyData) {
     quicheConfig.enableEarlyData();
   }
-
-  quicheConfig.verifyPeer(config.verifyPeer);
   quicheConfig.grease(config.grease);
   quicheConfig.setMaxIdleTimeout(config.maxIdleTimeout);
   quicheConfig.setMaxRecvUdpPayloadSize(config.maxRecvUdpPayloadSize);
diff --git a/src/native/napi/config.rs b/src/native/napi/config.rs
@@ -52,12 +52,16 @@ impl Config {
     key_pem: Option<Uint8Array>,
     supported_key_algos: Option<String>,
     ca_cert_pem: Option<Uint8Array>,
+    verify_peer: bool,
   ) -> Result<Self> {
     let mut ssl_ctx_builder = boring::ssl::SslContextBuilder::new(
       boring::ssl::SslMethod::tls(),
     ).or_else(
       |err| Err(Error::from_reason(err.to_string()))
     )?;
+    let verify_value = if verify_peer {boring::ssl::SslVerifyMode::PEER | boring::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT }
+    else { boring::ssl::SslVerifyMode::NONE };
+    ssl_ctx_builder.set_verify(verify_value);
     // Processing and adding the cert chain
     if let Some(cert_pem) = cert_pem {
       let x509_cert_chain = boring::x509::X509::stack_from_pem(
diff --git a/src/native/types.ts b/src/native/types.ts
@@ -48,6 +48,7 @@ interface ConfigConstructor {
     keyPem: Uint8Array | null,
     supportedKeyAlgos: string | null,
     ca_cert_pem: Uint8Array | null,
+    verify_peer: boolean,
   ): Config;
 }
 
diff --git a/tests/QUICClient.test.ts b/tests/QUICClient.test.ts
@@ -397,7 +397,6 @@ describe(QUICClient.name, () => {
             verifyPeer: false,
           },
         });
-        await handleConnectionEventProm.p;
         await client.destroy();
         await server.stop();
       },

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ interface ConfigConstructor {`
`48`	`48`	`keyPem: Uint8Array \| null,`
`49`	`49`	`supportedKeyAlgos: string \| null,`
`50`	`50`	`ca_cert_pem: Uint8Array \| null,`
	`51`	`+ verify_peer: boolean,`
`51`	`52`	`): Config;`
`52`	`53`	`}`
`53`	`54`