Unverified Commit c4407896 authored by Steven Fackler's avatar Steven Fackler Committed by GitHub
Browse files

Merge pull request #788 from sfackler/ssl-docs 

Ssl docs
parents d1724d49 bf70d3dd

openssl/src/sign.rs

+1 −1
Original line number Diff line number Diff line
@@ -575,7 +575,7 @@ mod test { 


        let mut signer = Signer::new(MessageDigest::sha256(), &key).unwrap();

        signer.update(b"hello world").unwrap();

        let signature = signer.finish().unwrap();

        let signature = signer.sign_to_vec().unwrap();



        let mut verifier = Verifier::new(MessageDigest::sha256(), &key).unwrap();

        verifier.update(b"hello world").unwrap();

openssl/src/ssl/connector.rs

+63 −21
Original line number Diff line number Diff line 
use std::io::{Read, Write};

use std::ops::{Deref, DerefMut};



use dh::Dh;

use error::ErrorStack;

use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, SslStream,

          HandshakeError};

use ssl::{self, HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslStream,

          SSL_VERIFY_PEER};

use pkey::PKeyRef;

use version;

use x509::X509Ref;
@@ -40,9 +41,8 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { 
    opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;

    ctx.set_options(opts);



    let mut mode = ssl::SSL_MODE_AUTO_RETRY |

        ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |

        ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;

    let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

        | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;



    // This is quite a useful optimization for saving memory, but historically

    // caused CVEs in OpenSSL pre-1.0.1h, according to
@@ -72,21 +72,23 @@ impl SslConnectorBuilder { 
             TLS13-AES-128-GCM-SHA256:\

             ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:\

             ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:\

             !aNULL:!eNULL:!MD5:!3DES"

             !aNULL:!eNULL:!MD5:!3DES",

        )?;

        setup_verify(&mut ctx);



        Ok(SslConnectorBuilder(ctx))

    }



    /// Returns a shared reference to the inner `SslContextBuilder`.

    #[deprecated(since = "0.9.23",

                 note = "SslConnectorBuilder now implements Deref<Target=SslContextBuilder>")]

    pub fn builder(&self) -> &SslContextBuilder {

        &self.0

        self

    }



    /// Returns a mutable reference to the inner `SslContextBuilder`.

    #[deprecated(since = "0.9.23",

                 note = "SslConnectorBuilder now implements DerefMut<Target=SslContextBuilder>")]

    pub fn builder_mut(&mut self) -> &mut SslContextBuilder {

        &mut self.0

        self

    }



    /// Consumes the builder, returning a `SslConnector`.
@@ -95,6 +97,20 @@ impl SslConnectorBuilder { 
    }

}



impl Deref for SslConnectorBuilder {

    type Target = SslContextBuilder;



    fn deref(&self) -> &SslContextBuilder {

        &self.0

    }

}



impl DerefMut for SslConnectorBuilder {

    fn deref_mut(&mut self) -> &mut SslContextBuilder {

        &mut self.0

    }

}



/// A type which wraps client-side streams in a TLS session.

///

/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
@@ -123,9 +139,14 @@ impl SslConnector { 
    /// You should think very carefully before you use this method. If hostname verification is not

    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This

    /// introduces a significant vulnerability to man-in-the-middle attacks.

    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<S>(

            &self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>

        where S: Read + Write

    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<

        S,

    >(

        &self,

        stream: S,

    ) -> Result<SslStream<S>, HandshakeError<S>>

    where

        S: Read + Write,

    {

        self.configure()?

            .danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream)
@@ -173,9 +194,14 @@ impl ConnectConfiguration { 
    /// You should think very carefully before you use this method. If hostname verification is not

    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This

    /// introduces a significant vulnerability to man-in-the-middle attacks.

    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<S>(

            self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>

        where S: Read + Write

    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<

        S,

    >(

        self,

        stream: S,

    ) -> Result<SslStream<S>, HandshakeError<S>>

    where

        S: Read + Write,

    {

        self.0.connect(stream)

    }
@@ -279,14 +305,16 @@ impl SslAcceptorBuilder { 
        Ok(self)

    }



    /// Returns a shared reference to the inner `SslContextBuilder`.

    #[deprecated(since = "0.9.23",

                 note = "SslAcceptorBuilder now implements Deref<Target=SslContextBuilder>")]

    pub fn builder(&self) -> &SslContextBuilder {

        &self.0

        self

    }



    /// Returns a mutable reference to the inner `SslContextBuilder`.

    #[deprecated(since = "0.9.23",

                 note = "SslAcceptorBuilder now implements DerefMut<Target=SslContextBuilder>")]

    pub fn builder_mut(&mut self) -> &mut SslContextBuilder {

        &mut self.0

        self

    }



    /// Consumes the builder, returning a `SslAcceptor`.
@@ -295,6 +323,20 @@ impl SslAcceptorBuilder { 
    }

}



impl Deref for SslAcceptorBuilder {

    type Target = SslContextBuilder;



    fn deref(&self) -> &SslContextBuilder {

        &self.0

    }

}



impl DerefMut for SslAcceptorBuilder {

    fn deref_mut(&mut self) -> &mut SslContextBuilder {

        &mut self.0

    }

}



#[cfg(ossl101)]

fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {

    use ec::EcKey;
@@ -374,7 +416,7 @@ mod verify { 
    use std::str;



    use nid;

    use x509::{X509StoreContextRef, X509Ref, X509NameRef, GeneralName};

    use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef};

    use stack::Stack;



    pub fn verify_callback(

openssl/src/ssl/mod.rs

+431 −36

File changed.

Preview size limit exceeded, changes collapsed.

openssl/src/ssl/tests/mod.rs

+2 −4
Original line number Diff line number Diff line
@@ -1076,7 +1076,7 @@ fn connector_no_hostname_can_disable_verify() { 
    let (_s, tcp) = Server::new();



    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();

    connector.builder_mut().set_verify(SSL_VERIFY_NONE);

    connector.set_verify(SSL_VERIFY_NONE);

    let connector = connector.build();



    connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap();
@@ -1102,7 +1102,6 @@ fn connector_client_server_mozilla_intermediate() { 


    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();

    connector

        .builder_mut()

        .set_ca_file("test/root-ca.pem")

        .unwrap();

    let connector = connector.build();
@@ -1137,7 +1136,6 @@ fn connector_client_server_mozilla_modern() { 


    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();

    connector

        .builder_mut()

        .set_ca_file("test/root-ca.pem")

        .unwrap();

    let connector = connector.build();
@@ -1202,7 +1200,7 @@ fn cert_store() { 
    let cert = X509::from_pem(ROOT_CERT).unwrap();



    let mut ctx = SslConnectorBuilder::new(SslMethod::tls()).unwrap();

    ctx.builder_mut().cert_store_mut().add_cert(cert).unwrap();

    ctx.cert_store_mut().add_cert(cert).unwrap();

    let ctx = ctx.build();



    ctx.connect("foobar.com", tcp).unwrap();