feat(dgw): TLS thumbprint anchoring (#1570)

Allow "unsecure" TLS if the client provides a thumbprint and the peer
certificate matches it.

Issue: DGW-318

Author: CBenoit

Cargo.lock

@@ -75,6 +75,9 @@ zeroize = { version = "1.8", features = ["derive"] }
 multibase = "0.9"
 argon2 = { version = "0.5", features = ["std"] }
 x509-cert = { version = "0.2", default-features = false, features = ["std"] }
+sha2 = "0.10"
+hex = "0.4"
+rustls-native-certs = "0.8"
 
 # Logging
 tracing = "0.1"

devolutions-gateway/Cargo.toml

@@ -243,12 +243,12 @@ where
         if with_tls {
             trace!("Establishing TLS connection with server");
 
-            // Establish TLS connection with server
-
-            let server_stream = crate::tls::connect(selected_target.host().to_owned(), server_stream)
-                .await
-                .context("TLS connect")
-                .map_err(ForwardError::BadGateway)?;
+            // Establish TLS connection with server.
+            let server_stream =
+                crate::tls::safe_connect(selected_target.host().to_owned(), server_stream, claims.cert_thumb256)
+                    .await
+                    .context("TLS connect")
+                    .map_err(ForwardError::BadGateway)?;
 
             info!("WebSocket-TLS forwarding");
 

devolutions-gateway/src/api/fwd.rs

@@ -339,6 +339,7 @@ pub(crate) async fn sign_session_token(
                 jet_reuse: ReconnectionPolicy::Disallowed,
                 exp,
                 jti,
+                cert_thumb256: None,
             }
             .pipe(serde_json::to_value)
             .map(|mut claims| {

devolutions-gateway/src/api/webapp.rs

@@ -256,7 +256,7 @@ async fn process_cleanpath(
 
     // Establish TLS connection with server
 
-    let server_stream = crate::tls::connect(selected_target.host().to_owned(), server_stream)
+    let server_stream = crate::tls::dangerous_connect(selected_target.host().to_owned(), server_stream)
         .await
         .map_err(|source| CleanPathError::TlsHandshake {
             source,

devolutions-gateway/src/rd_clean_path.rs

@@ -87,7 +87,7 @@ where
     // -- Perform the TLS upgrading for both the client and the server, effectively acting as a man-in-the-middle -- //
 
     let client_tls_upgrade_fut = tls_conf.acceptor.accept(client_stream);
-    let server_tls_upgrade_fut = crate::tls::connect(server_dns_name.clone(), server_stream);
+    let server_tls_upgrade_fut = crate::tls::dangerous_connect(server_dns_name.clone(), server_stream);
 
     let (client_stream, server_stream) = tokio::join!(client_tls_upgrade_fut, server_tls_upgrade_fut);
 
@@ -510,7 +510,7 @@ async fn get_cached_gateway_public_key(
 async fn retrieve_gateway_public_key(hostname: String, acceptor: tokio_rustls::TlsAcceptor) -> anyhow::Result<Vec<u8>> {
     let (client_side, server_side) = tokio::io::duplex(4096);
 
-    let connect_fut = crate::tls::connect(hostname, client_side);
+    let connect_fut = crate::tls::dangerous_connect(hostname, client_side);
     let accept_fut = acceptor.accept(server_side);
 
     let (connect_res, _) = tokio::join!(connect_fut, accept_fut);