Clean up a couple of holdovers from old features (1bbe1b6a) · Commits · Public Repositories / Rust Openssl

openssl/src/lib.rs

+0 −2

Original line number	Diff line number	Diff line
		@@ -61,8 +61,6 @@ pub mod string;
		pub mod symm;
		pub mod version;
		pub mod x509;
		#[cfg(any(ossl102, ossl110))]
		mod verify;

		fn cvt_p<T>(r: mut T) -> Result<mut T, ErrorStack> {
		if r.is_null() {

openssl/src/ssl/connector.rs

+5 −11

Original line number	Diff line number	Diff line
		@@ -192,11 +192,7 @@ impl SslAcceptor {
		pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> {
		let mut ctx = ctx(method)?;
		#[cfg(ossl111)]
		{
		ctx.set_options(SslOptions {
		bits: ::ffi::SSL_OP_NO_TLSv1_3,
		});
		}
		ctx.set_options(SslOptions::NO_TLSV1_3);
		let dh = Dh::params_from_pem(
		b"
		-----BEGIN DH PARAMETERS-----
		@@ -236,11 +232,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
		let mut ctx = ctx(method)?;
		ctx.set_options(SslOptions::NO_TLSV1 \| SslOptions::NO_TLSV1_1);
		#[cfg(ossl111)]
		{
		ctx.set_options(SslOptions {
		bits: ::ffi::SSL_OP_NO_TLSv1_3,
		});
		}
		ctx.set_options(SslOptions::NO_TLSV1_3);
		setup_curves(&mut ctx)?;
		ctx.set_cipher_list(
		"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
		@@ -316,8 +308,10 @@ fn setup_verify(ctx: &mut SslContextBuilder) {

		#[cfg(any(ossl102, ossl110))]
		fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
		use x509::verify::X509CheckFlags;

		let param = ssl.param_mut();
		param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS);
		param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
		match domain.parse() {
		Ok(ip) => param.set_ip(ip),
		Err(_) => param.set_host(domain),

openssl/src/ssl/mod.rs

+5 −3

Original line number	Diff line number	Diff line
		@@ -87,7 +87,7 @@ use x509::store::{X509StoreBuilderRef, X509StoreRef};
		#[cfg(any(ossl102, ossl110))]
		use x509::store::X509Store;
		#[cfg(any(ossl102, ossl110))]
		use verify::X509VerifyParamRef;
		use x509::verify::X509VerifyParamRef;
		use pkey::{HasPrivate, PKeyRef, Params, Private};
		use error::ErrorStack;
		use ex_data::Index;
		@@ -1512,12 +1512,14 @@ impl SslContextBuilder {
		parse_cb: ParseFn,
		) -> Result<(), ErrorStack>
		where
		AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<T>, SslAlert>
		AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>)
		-> Result<Option<T>, SslAlert>
		+ 'static
		+ Sync
		+ Send,
		T: AsRef<[u8]> + 'static + Sync + Send,
		ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert>
		ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>)
		-> Result<(), SslAlert>
		+ 'static
		+ Sync
		+ Send,

openssl/src/verify.rs

deleted100644 → 0

+0 −86

Original line number	Diff line number	Diff line
		use libc::c_uint;
		use ffi;
		use foreign_types::ForeignTypeRef;
		use std::net::IpAddr;

		use cvt;
		use error::ErrorStack;

		bitflags! {
		/// Flags used to check an `X509` certificate.
		pub struct X509CheckFlags: c_uint {
		const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
		const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
		const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
		const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
		const SINGLE_LABEL_SUBDOMAINS
		= ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
		/// Requires OpenSSL 1.1.0 or newer.
		#[cfg(any(ossl110))]
		const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
		}
		}

		foreign_type_and_impl_send_sync! {
		type CType = ffi::X509_VERIFY_PARAM;
		fn drop = ffi::X509_VERIFY_PARAM_free;

		/// Adjust parameters associated with certificate verification.
		pub struct X509VerifyParam;
		/// Reference to `X509VerifyParam`.
		pub struct X509VerifyParamRef;
		}

		impl X509VerifyParamRef {
		/// Set the host flags.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set_hostflags`].
		///
		/// [`X509_VERIFY_PARAM_set_hostflags`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_hostflags.html
		pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
		unsafe {
		ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits);
		}
		}

		/// Set the expected DNS hostname.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set1_host`].
		///
		/// [`X509_VERIFY_PARAM_set1_host`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_host.html
		pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
		unsafe {
		cvt(ffi::X509_VERIFY_PARAM_set1_host(
		self.as_ptr(),
		host.as_ptr() as *const _,
		host.len(),
		)).map(\|_\| ())
		}
		}

		/// Set the expected IPv4 or IPv6 address.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set1_ip`].
		///
		/// [`X509_VERIFY_PARAM_set1_ip`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_ip.html
		pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
		unsafe {
		let mut buf = [0; 16];
		let len = match ip {
		IpAddr::V4(addr) => {
		buf[..4].copy_from_slice(&addr.octets());
		4
		}
		IpAddr::V6(addr) => {
		buf.copy_from_slice(&addr.octets());
		16
		}
		};
		cvt(ffi::X509_VERIFY_PARAM_set1_ip(
		self.as_ptr(),
		buf.as_ptr() as *const _,
		len,
		)).map(\|_\| ())
		}
		}
		}

openssl/src/x509/verify.rs

+85 −4

Original line number	Diff line number	Diff line
		//! X509 certificate verification
		//!
		//! Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature.
		use libc::c_uint;
		use ffi;
		use foreign_types::ForeignTypeRef;
		use std::net::IpAddr;

		pub use verify::*;
		use cvt;
		use error::ErrorStack;

		bitflags! {
		/// Flags used to check an `X509` certificate.
		pub struct X509CheckFlags: c_uint {
		const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
		const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
		const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
		const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
		const SINGLE_LABEL_SUBDOMAINS
		= ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
		/// Requires OpenSSL 1.1.0 or newer.
		#[cfg(any(ossl110))]
		const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
		}
		}

		foreign_type_and_impl_send_sync! {
		type CType = ffi::X509_VERIFY_PARAM;
		fn drop = ffi::X509_VERIFY_PARAM_free;

		/// Adjust parameters associated with certificate verification.
		pub struct X509VerifyParam;
		/// Reference to `X509VerifyParam`.
		pub struct X509VerifyParamRef;
		}

		impl X509VerifyParamRef {
		/// Set the host flags.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set_hostflags`].
		///
		/// [`X509_VERIFY_PARAM_set_hostflags`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_hostflags.html
		pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
		unsafe {
		ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits);
		}
		}

		/// Set the expected DNS hostname.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set1_host`].
		///
		/// [`X509_VERIFY_PARAM_set1_host`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_host.html
		pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
		unsafe {
		cvt(ffi::X509_VERIFY_PARAM_set1_host(
		self.as_ptr(),
		host.as_ptr() as *const _,
		host.len(),
		)).map(\|_\| ())
		}
		}

		/// Set the expected IPv4 or IPv6 address.
		///
		/// This corresponds to [`X509_VERIFY_PARAM_set1_ip`].
		///
		/// [`X509_VERIFY_PARAM_set1_ip`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_ip.html
		pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
		unsafe {
		let mut buf = [0; 16];
		let len = match ip {
		IpAddr::V4(addr) => {
		buf[..4].copy_from_slice(&addr.octets());
		4
		}
		IpAddr::V6(addr) => {
		buf.copy_from_slice(&addr.octets());
		16
		}
		};
		cvt(ffi::X509_VERIFY_PARAM_set1_ip(
		self.as_ptr(),
		buf.as_ptr() as *const _,
		len,
		)).map(\|_\| ())
		}
		}
		}