Workaround for proxies with MITM root certificates

orthoxerox · Марьин Алексей Юрьевич · commit 946632f06809 · 2019-02-08T15:13:24.000+03:00
Added RUSTUP_USE_UNSAFE_SSL environment variable.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -580,6 +580,13 @@ Command | Description
 - `RUSTUP_UPDATE_ROOT` (default `https://static.rust-lang.org/rustup`)
   Sets the root URL for downloading self-updates.
 
+- `RUSTUP_USE_UNSAFE_SSL` (default: none)
+  If set to "ACCEPT_RISKS", rustup will not validate the SSL certificate 
+  when downloading files. This parameter should be used only in exceptional
+  circumstances when your computer is behind a corporate proxy that injects
+  its own certificates into HTTPS connections and you're unable to add these 
+  certificates to your root set.
+
 ## Other installation methods
 
 The primary installation method, as described at
diff --git a/rustup-init.sh b/rustup-init.sh
@@ -385,13 +385,21 @@ downloader() {
     else
         _dld='curl or wget' # to be used in error message of need_cmd
     fi
+	
+	if [ "$RUSTUP_USE_UNSAFE_SSL" = "ACCEPT_RISKS" ]; then
+		_curl_unsafe = "--insecure"
+		_wget_unsafe = "--no-check-certificate"
+	else
+		_curl_unsafe = ""
+		_wget_unsafe = ""	
+	fi
 
     if [ "$1" = --check ]; then
         need_cmd "$_dld"
     elif [ "$_dld" = curl ]; then
-        curl -sSfL "$1" -o "$2"
+        curl -sSfL "$_curl_unsafe" "$1" -o "$2"
     elif [ "$_dld" = wget ]; then
-        wget "$1" -O "$2"
+        wget "$1" "$_wget_unsafe" -O "$2"
     else
         err "Unknown downloader"   # should not reach here
     fi
diff --git a/src/download/Cargo.toml b/src/download/Cargo.toml
@@ -26,3 +26,6 @@ reqwest = { version = "0.9", optional = true }
 futures = "0.1"
 hyper = "0.12"
 tempdir = "0.3.4"
+tokio = "0.1.11"
+tokio-tls = "0.2.1"
+native-tls = "0.2.1"
diff --git a/src/download/src/lib.rs b/src/download/src/lib.rs
@@ -10,6 +10,7 @@ extern crate lazy_static;
 #[cfg(feature = "reqwest-backend")]
 extern crate reqwest;
 
+use std::env;
 use std::path::Path;
 use url::Url;
 
@@ -128,6 +129,10 @@ pub fn download_to_path_with_backend(
     })
 }
 
+fn use_unsafe_ssl() -> bool {
+    env::var_os("RUSTUP_USE_UNSAFE_SSL").unwrap_or("NO".into()) == "ACCEPT_RISKS"
+}
+
 /// Download via libcurl; encrypt with the native (or OpenSSl) TLS
 /// stack via libcurl
 #[cfg(feature = "curl-backend")]
@@ -136,6 +141,7 @@ pub mod curl {
     extern crate curl;
 
     use self::curl::easy::Easy;
+    use super::use_unsafe_ssl;
     use super::Event;
     use crate::errors::*;
     use std::cell::RefCell;
@@ -175,6 +181,12 @@ pub mod curl {
                 .connect_timeout(Duration::new(30, 0))
                 .chain_err(|| "failed to set connect timeout")?;
 
+            if use_unsafe_ssl() {
+                handle
+                    .ssl_verify_peer(false)
+                    .chain_err(|| "failed to configure unsafe SSL mode")?;
+            }
+
             {
                 let cberr = RefCell::new(None);
                 let mut transfer = handle.transfer();
@@ -254,6 +266,7 @@ pub mod curl {
 pub mod reqwest_be {
     extern crate env_proxy;
 
+    use super::use_unsafe_ssl;
     use super::Event;
     use crate::errors::*;
     use reqwest::{header, Client, Proxy, Response};
@@ -302,6 +315,7 @@ pub mod reqwest_be {
                     .gzip(false)
                     .proxy(Proxy::custom(env_proxy))
                     .timeout(Duration::from_secs(30))
+                    .danger_accept_invalid_certs(use_unsafe_ssl())
                     .build()
             };
 
@@ -374,7 +388,7 @@ pub mod reqwest_be {
 pub mod curl {
 
     use super::Event;
-    use errors::*;
+    use crate::errors::*;
     use url::Url;
 
     pub fn download(
@@ -390,7 +404,7 @@ pub mod curl {
 pub mod reqwest_be {
 
     use super::Event;
-    use errors::*;
+    use crate::errors::*;
     use url::Url;
 
     pub fn download(
diff --git a/src/download/tests/download-curl-resume.rs b/src/download/tests/download-curl-resume.rs
@@ -34,7 +34,7 @@ fn callback_gets_all_data_as_if_the_download_happened_all_at_once() {
     let target_path = tmpdir.path().join("downloaded");
     write_file(&target_path, "123");
 
-    let addr = serve_file(b"xxx45".to_vec());
+    let addr = serve_file(b"xxx45".to_vec(), false);
 
     let from_url = format!("http://{}", addr).parse().unwrap();
 
diff --git a/src/download/tests/download-curl-safe.rs b/src/download/tests/download-curl-safe.rs
@@ -0,0 +1,62 @@
+#![cfg(feature = "curl-backend")]
+
+use download::*;
+
+mod support;
+use crate::support::{file_contents, serve_file, tmp_dir};
+
+// There are two separate files because this crate caches curl handles
+// and all tests in one file use either the safe or the unsafe handle.
+// See download-curl-unsafe.rs for the complementary test case.
+
+#[test]
+fn downloading_with_no_certificate() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), false);
+    let from_url = format!("http://{}", addr).parse().unwrap();
+
+    download_to_path_with_backend(Backend::Curl, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
+
+#[test]
+#[should_panic]
+fn downloading_with_bad_certificate() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::remove_var("RUSTUP_USE_UNSAFE_SSL");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_none(), true);
+
+    download_to_path_with_backend(Backend::Curl, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
+
+#[test]
+#[should_panic]
+fn downloading_with_bad_certificate_using_wrong_env_value() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::set_var("RUSTUP_USE_UNSAFE_SSL", "FOOBAR");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_some(), true);
+
+    download_to_path_with_backend(Backend::Curl, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
diff --git a/src/download/tests/download-curl-unsafe.rs b/src/download/tests/download-curl-unsafe.rs
@@ -0,0 +1,28 @@
+#![cfg(feature = "curl-backend")]
+
+use download::*;
+
+mod support;
+use crate::support::{file_contents, serve_file, tmp_dir};
+
+// There are two separate files because this crate caches curl handles
+// and all tests in one file use either the safe or the unsafe handle.
+// See download-curl-safe.rs for the complementary test case.
+
+#[test]
+fn downloading_with_bad_certificate_unsafely() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::set_var("RUSTUP_USE_UNSAFE_SSL", "ACCEPT_RISKS");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_some(), true);
+
+    download_to_path_with_backend(Backend::Curl, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
diff --git a/src/download/tests/download-reqwest-resume.rs b/src/download/tests/download-reqwest-resume.rs
@@ -34,7 +34,7 @@ fn callback_gets_all_data_as_if_the_download_happened_all_at_once() {
     let target_path = tmpdir.path().join("downloaded");
     write_file(&target_path, "123");
 
-    let addr = serve_file(b"xxx45".to_vec());
+    let addr = serve_file(b"xxx45".to_vec(), false);
 
     let from_url = format!("http://{}", addr).parse().unwrap();
 
diff --git a/src/download/tests/download-reqwest-safe.rs b/src/download/tests/download-reqwest-safe.rs
@@ -0,0 +1,62 @@
+#![cfg(feature = "reqwest-backend")]
+
+use download::*;
+
+mod support;
+use crate::support::{file_contents, serve_file, tmp_dir};
+
+// There are two separate files because this crate caches reqwest clients
+// and all tests in one file use either the safe or the unsafe client.
+// See download-reqwest-unsafe.rs for the complementary test case.
+
+#[test]
+fn downloading_with_no_certificate() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), false);
+    let from_url = format!("http://{}", addr).parse().unwrap();
+
+    download_to_path_with_backend(Backend::Reqwest, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
+
+#[test]
+#[should_panic]
+fn downloading_with_bad_certificate() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::remove_var("RUSTUP_USE_UNSAFE_SSL");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_none(), true);
+
+    download_to_path_with_backend(Backend::Reqwest, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
+
+#[test]
+#[should_panic]
+fn downloading_with_bad_certificate_using_wrong_env_value() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::set_var("RUSTUP_USE_UNSAFE_SSL", "FOOBAR");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_some(), true);
+
+    download_to_path_with_backend(Backend::Reqwest, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
diff --git a/src/download/tests/download-reqwest-unsafe.rs b/src/download/tests/download-reqwest-unsafe.rs
@@ -0,0 +1,28 @@
+#![cfg(feature = "reqwest-backend")]
+
+use download::*;
+
+mod support;
+use crate::support::{file_contents, serve_file, tmp_dir};
+
+// There are two separate files because this crate caches reqwest clients
+// and all tests in one file use either the safe or the unsafe client.
+// See download-reqwest-safe.rs for the complementary test case.
+
+#[test]
+fn downloading_with_bad_certificate_unsafely() {
+    let tmpdir = tmp_dir();
+    let target_path = tmpdir.path().join("downloaded");
+
+    let addr = serve_file(b"12345".to_vec(), true);
+    let from_url = format!("https://{}", addr).parse().unwrap();
+
+    std::env::set_var("RUSTUP_USE_UNSAFE_SSL", "ACCEPT_RISKS");
+
+    assert_eq!(std::env::var_os("RUSTUP_USE_UNSAFE_SSL").is_some(), true);
+
+    download_to_path_with_backend(Backend::Reqwest, &from_url, &target_path, false, None)
+        .expect("Test download failed");
+
+    assert_eq!(file_contents(&target_path), "12345");
+}
diff --git a/src/download/tests/support/cert.p12 b/src/download/tests/support/cert.p12
diff --git a/src/download/tests/support/mod.rs b/src/download/tests/support/mod.rs
diff --git a/src/download/tests/support/tls_proxy.rs b/src/download/tests/support/tls_proxy.rs
