Loading openssl-sys/src/ossl110.rs +30 −15 Original line number Diff line number Diff line use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long}; use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t}; pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} pub enum stack_st_GENERAL_NAME {} pub enum stack_st_void {} pub enum _STACK {} pub enum BIO_METHOD {} pub enum RSA {} pub enum DSA {} pub enum EVP_PKEY {} pub enum BIGNUM {} pub enum BIO {} pub enum BIO_METHOD {} pub enum CRYPTO_EX_DATA {} pub enum EVP_MD_CTX {} pub enum DH {} pub enum DSA {} pub enum EVP_CIPHER {} pub enum EVP_MD_CTX {} pub enum EVP_PKEY {} pub enum HMAC_CTX {} pub enum BIGNUM {} pub enum OPENSSL_STACK {} pub enum DH {} pub enum X509 {} pub enum RSA {} pub enum SSL_CTX {} pub enum _STACK {} pub enum stack_st_ASN1_OBJECT {} pub enum stack_st_GENERAL_NAME {} pub enum stack_st_OPENSSL_STRING {} pub enum stack_st_void {} pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} pub enum X509 {} pub enum X509_VERIFY_PARAM {} pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong = 0x00000000; pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong = 0x00000000; Loading @@ -41,6 +44,13 @@ pub const OPENSSL_DIR: c_int = 4; pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; pub fn init() {} extern { Loading Loading @@ -96,8 +106,13 @@ extern { pub fn SSL_CTX_get_options(ctx: *const ::SSL_CTX) -> c_ulong; pub fn SSL_CTX_set_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, name: *const c_char, namelen: size_t) -> c_int; pub fn DH_set0_pqg(dh: *mut ::DH, p: *mut ::BIGNUM, q: *mut ::BIGNUM, Loading openssl/src/ssl/mod.rs +12 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; #[cfg(feature = "openssl-110")] use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; Loading Loading @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } /// Returns the X509 verification configuration. /// /// Requires the `openssl-110` feature. #[cfg(feature = "openssl-110")] pub fn param(&mut self) -> X509VerifyParamRef<'a> { unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) } } } pub struct Ssl(SslRef<'static>); Loading openssl/src/ssl/tests/mod.rs +44 −0 Original line number Diff line number Diff line Loading @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; #[cfg(feature = "openssl-110")] use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; #[cfg(feature = "openssl-110")] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; Loading Loading @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( #[cfg(feature = "openssl-110")] fn valid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let mut ssl = ctx.into_ssl().unwrap(); ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ssl.param().set_host("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = SslStream::connect(ssl, s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; socket.read_to_end(&mut result).unwrap(); println!("{}", String::from_utf8_lossy(&result)); assert!(result.starts_with(b"HTTP/1.0")); assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>")); } #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( #[cfg(feature = "openssl-110")] fn invalid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let mut ssl = ctx.into_ssl().unwrap(); ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ssl.param().set_host("foobar.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); assert!(SslStream::connect(ssl, s).is_err()); } openssl/src/x509/mod.rs +3 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,9 @@ use ffi::{ pub mod extension; #[cfg(feature = "openssl-110")] pub mod verify; use self::extension::{ExtensionType, Extension}; #[cfg(test)] Loading openssl/src/x509/verify.rs 0 → 100644 +41 −0 Original line number Diff line number Diff line use std::marker::PhantomData; use libc::c_uint; use ffi; use error::ErrorStack; bitflags! { pub flags X509CheckFlags: c_uint { const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, } } pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); impl<'a> X509VerifyParamRef<'a> { pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { X509VerifyParamRef(ptr, PhantomData) } pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { unsafe { ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); } } pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, host.as_ptr() as *const _, host.len())) } Ok(()) } } Loading
openssl-sys/src/ossl110.rs +30 −15 Original line number Diff line number Diff line use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long}; use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t}; pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} pub enum stack_st_GENERAL_NAME {} pub enum stack_st_void {} pub enum _STACK {} pub enum BIO_METHOD {} pub enum RSA {} pub enum DSA {} pub enum EVP_PKEY {} pub enum BIGNUM {} pub enum BIO {} pub enum BIO_METHOD {} pub enum CRYPTO_EX_DATA {} pub enum EVP_MD_CTX {} pub enum DH {} pub enum DSA {} pub enum EVP_CIPHER {} pub enum EVP_MD_CTX {} pub enum EVP_PKEY {} pub enum HMAC_CTX {} pub enum BIGNUM {} pub enum OPENSSL_STACK {} pub enum DH {} pub enum X509 {} pub enum RSA {} pub enum SSL_CTX {} pub enum _STACK {} pub enum stack_st_ASN1_OBJECT {} pub enum stack_st_GENERAL_NAME {} pub enum stack_st_OPENSSL_STRING {} pub enum stack_st_void {} pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} pub enum X509 {} pub enum X509_VERIFY_PARAM {} pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong = 0x00000000; pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong = 0x00000000; Loading @@ -41,6 +44,13 @@ pub const OPENSSL_DIR: c_int = 4; pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; pub fn init() {} extern { Loading Loading @@ -96,8 +106,13 @@ extern { pub fn SSL_CTX_get_options(ctx: *const ::SSL_CTX) -> c_ulong; pub fn SSL_CTX_set_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, name: *const c_char, namelen: size_t) -> c_int; pub fn DH_set0_pqg(dh: *mut ::DH, p: *mut ::BIGNUM, q: *mut ::BIGNUM, Loading
openssl/src/ssl/mod.rs +12 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; #[cfg(feature = "openssl-110")] use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; Loading Loading @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } /// Returns the X509 verification configuration. /// /// Requires the `openssl-110` feature. #[cfg(feature = "openssl-110")] pub fn param(&mut self) -> X509VerifyParamRef<'a> { unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) } } } pub struct Ssl(SslRef<'static>); Loading
openssl/src/ssl/tests/mod.rs +44 −0 Original line number Diff line number Diff line Loading @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; #[cfg(feature = "openssl-110")] use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; #[cfg(feature = "openssl-110")] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; Loading Loading @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( #[cfg(feature = "openssl-110")] fn valid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let mut ssl = ctx.into_ssl().unwrap(); ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ssl.param().set_host("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = SslStream::connect(ssl, s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; socket.read_to_end(&mut result).unwrap(); println!("{}", String::from_utf8_lossy(&result)); assert!(result.starts_with(b"HTTP/1.0")); assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>")); } #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( #[cfg(feature = "openssl-110")] fn invalid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let mut ssl = ctx.into_ssl().unwrap(); ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ssl.param().set_host("foobar.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); assert!(SslStream::connect(ssl, s).is_err()); }
openssl/src/x509/mod.rs +3 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,9 @@ use ffi::{ pub mod extension; #[cfg(feature = "openssl-110")] pub mod verify; use self::extension::{ExtensionType, Extension}; #[cfg(test)] Loading
openssl/src/x509/verify.rs 0 → 100644 +41 −0 Original line number Diff line number Diff line use std::marker::PhantomData; use libc::c_uint; use ffi; use error::ErrorStack; bitflags! { pub flags X509CheckFlags: c_uint { const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, } } pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); impl<'a> X509VerifyParamRef<'a> { pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { X509VerifyParamRef(ptr, PhantomData) } pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { unsafe { ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); } } pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, host.as_ptr() as *const _, host.len())) } Ok(()) } }
