aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel García <[email protected]>2020-07-14 23:44:01 +0200
committerDaniel García <[email protected]>2020-07-15 00:00:03 +0200
commit1e950c7dbc8bfaca0df4fd2d97d12e8b7d1fbc55 (patch)
tree1c22f7311005cfe2de3d0f89fb26f13eb445ff0b
parentf14e19a3d82c0171a85b5909e97f733a4615597c (diff)
downloadvaultwarden-1e950c7dbc8bfaca0df4fd2d97d12e8b7d1fbc55.tar.gz
vaultwarden-1e950c7dbc8bfaca0df4fd2d97d12e8b7d1fbc55.zip
Replace IP support in preparation for compiling on stable, included some tests to check that the code matches the unstable implementation
-rw-r--r--Cargo.toml4
-rw-r--r--rust-toolchain2
-rw-r--r--src/api/icons.rs102
-rw-r--r--src/main.rs2
4 files changed, 106 insertions, 4 deletions
diff --git a/Cargo.toml b/Cargo.toml
index fcd24994..728798a5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -17,6 +17,10 @@ mysql = ["diesel/mysql", "diesel_migrations/mysql"]
postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
+# Enable unstable features, requires nightly
+# Currently only used to enable rusts official ip support
+unstable = []
+
[target."cfg(not(windows))".dependencies]
syslog = "4.0.1"
diff --git a/rust-toolchain b/rust-toolchain
index 8ce9a45d..61e88e64 100644
--- a/rust-toolchain
+++ b/rust-toolchain
@@ -1 +1 @@
-nightly-2020-07-03 \ No newline at end of file
+nightly-2020-07-11 \ No newline at end of file
diff --git a/src/api/icons.rs b/src/api/icons.rs
index f51815e4..5653bb1c 100644
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -1,7 +1,7 @@
use std::{
fs::{create_dir_all, remove_file, symlink_metadata, File},
io::prelude::*,
- net::ToSocketAddrs,
+ net::{IpAddr, ToSocketAddrs},
time::{Duration, SystemTime},
};
@@ -63,13 +63,111 @@ fn icon(domain: String) -> Cached<Content<Vec<u8>>> {
Cached::long(Content(icon_type, get_icon(&domain)))
}
+/// TODO: This is extracted from IpAddr::is_global, which is unstable:
+/// https://doc.rust-lang.org/nightly/std/net/enum.IpAddr.html#method.is_global
+/// Remove once https://github.com/rust-lang/rust/issues/27709 is merged
+#[cfg(not(feature = "unstable"))]
+fn is_global(ip: IpAddr) -> bool {
+ match ip {
+ IpAddr::V4(ip) => {
+ // check if this address is 192.0.0.9 or 192.0.0.10. These addresses are the only two
+ // globally routable addresses in the 192.0.0.0/24 range.
+ if u32::from(ip) == 0xc0000009 || u32::from(ip) == 0xc000000a {
+ return true;
+ }
+ !ip.is_private()
+ && !ip.is_loopback()
+ && !ip.is_link_local()
+ && !ip.is_broadcast()
+ && !ip.is_documentation()
+ && !(ip.octets()[0] == 100 && (ip.octets()[1] & 0b1100_0000 == 0b0100_0000))
+ && !(ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0)
+ && !(ip.octets()[0] & 240 == 240 && !ip.is_broadcast())
+ && !(ip.octets()[0] == 198 && (ip.octets()[1] & 0xfe) == 18)
+ // Make sure the address is not in 0.0.0.0/8
+ && ip.octets()[0] != 0
+ }
+ IpAddr::V6(ip) => {
+ if ip.is_multicast() && ip.segments()[0] & 0x000f == 14 {
+ true
+ } else {
+ !ip.is_multicast()
+ && !ip.is_loopback()
+ && !((ip.segments()[0] & 0xffc0) == 0xfe80)
+ && !((ip.segments()[0] & 0xfe00) == 0xfc00)
+ && !ip.is_unspecified()
+ && !((ip.segments()[0] == 0x2001) && (ip.segments()[1] == 0xdb8))
+ }
+ }
+ }
+}
+
+#[cfg(feature = "unstable")]
+fn is_global(ip: IpAddr) -> bool {
+ ip.is_global()
+}
+
+/// These are some tests to check that the implementations match
+/// The IPv4 can be all checked in 5 mins or so and they are correct as of nightly 2020-07-11
+/// The IPV6 can't be checked in a reasonable time, so we check about ten billion random ones, so far correct
+/// Note that the is_global implementation is subject to change as new IP RFCs are created
+///
+/// To run while showing progress output:
+/// cargo test --features sqlite,unstable -- --nocapture --ignored
+#[cfg(test)]
+#[cfg(feature = "unstable")]
+mod tests {
+ use super::*;
+
+ #[test]
+ #[ignore]
+ fn test_ipv4_global() {
+ for a in 0..u8::MAX {
+ println!("Iter: {}/255", a);
+ for b in 0..u8::MAX {
+ for c in 0..u8::MAX {
+ for d in 0..u8::MAX {
+ let ip = IpAddr::V4(std::net::Ipv4Addr::new(a, b, c, d));
+ assert_eq!(ip.is_global(), is_global(ip))
+ }
+ }
+ }
+ }
+ }
+
+ #[test]
+ #[ignore]
+ fn test_ipv6_global() {
+ use ring::rand::{SecureRandom, SystemRandom};
+ let mut v = [0u8; 16];
+ let rand = SystemRandom::new();
+ for i in 0..1_000 {
+ println!("Iter: {}/1_000", i);
+ for _ in 0..10_000_000 {
+ rand.fill(&mut v).expect("Error generating random values");
+ let ip = IpAddr::V6(std::net::Ipv6Addr::new(
+ (v[14] as u16) << 8 | v[15] as u16,
+ (v[12] as u16) << 8 | v[13] as u16,
+ (v[10] as u16) << 8 | v[11] as u16,
+ (v[8] as u16) << 8 | v[9] as u16,
+ (v[6] as u16) << 8 | v[7] as u16,
+ (v[4] as u16) << 8 | v[5] as u16,
+ (v[2] as u16) << 8 | v[3] as u16,
+ (v[0] as u16) << 8 | v[1] as u16,
+ ));
+ assert_eq!(ip.is_global(), is_global(ip))
+ }
+ }
+ }
+}
+
fn check_icon_domain_is_blacklisted(domain: &str) -> bool {
let mut is_blacklisted = CONFIG.icon_blacklist_non_global_ips()
&& (domain, 0)
.to_socket_addrs()
.map(|x| {
for ip_port in x {
- if !ip_port.ip().is_global() {
+ if !is_global(ip_port.ip()) {
warn!("IP {} for domain '{}' is not a global IP!", ip_port.ip(), domain);
return true;
}
diff --git a/src/main.rs b/src/main.rs
index eeca0ff1..4c7a6187 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,5 @@
#![forbid(unsafe_code)]
-#![feature(proc_macro_hygiene, ip)]
+#![cfg_attr(feature = "unstable", feature(ip))]
#![recursion_limit = "256"]
extern crate openssl;