Allow SNI and hostname verification to be configured separately

Closes #728
2017-12-23 12:47:38 -08:00 · 2017-12-23 12:47:38 -08:00 · 196a855d2a
parent 4c47aca508
commit 196a855d2a
2 changed files with 101 additions and 70 deletions
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@ -132,13 +132,9 @@ impl SslConnector {
        self.configure()?.connect(domain, stream)
    }
-    /// Initiates a client-side TLS session on a stream without performing hostname verification.
+    #[deprecated(
-    ///
+        since = "0.9.24",
-    /// # Warning
+        note = "use `ConnectConfiguration::verify_hostname` and `ConnectConfiguration::use_server_name_indication` instead")]
    ///
    /// You should think very carefully before you use this method. If hostname verification is not
    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This
    /// introduces a significant vulnerability to man-in-the-middle attacks.
    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<
        S,
    >(
@ -149,53 +145,80 @@ impl SslConnector {
        S: Read + Write,
    {
        self.configure()?
-            .danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream)
+            .use_server_name_indication(false)
            .verify_hostname(false)
            .connect("", stream)
    }
    /// Returns a structure allowing for configuration of a single TLS session before connection.
    pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
-        Ssl::new(&self.0).map(ConnectConfiguration)
+        Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true })
    }
 }
 /// A type which allows for configuration of a client-side TLS session before connection.
-pub struct ConnectConfiguration(Ssl);
+pub struct ConnectConfiguration {
    ssl: Ssl,
    sni: bool,
    verify_hostname: bool,
 }
 impl ConnectConfiguration {
    #[deprecated(since = "0.9.23",
                 note = "ConnectConfiguration now implements Deref<Target=SslRef>")]
    pub fn ssl(&self) -> &Ssl {
-        &self.0
+        &self.ssl
    }
    #[deprecated(since = "0.9.23",
                 note = "ConnectConfiguration now implements DerefMut<Target=SslRef>")]
    pub fn ssl_mut(&mut self) -> &mut Ssl {
-        &mut self.0
+        &mut self.ssl
    }
-    /// Initiates a client-side TLS session on a stream.
+    /// Configures the use of Server Name Indication (SNI) when connecting.
    ///
-    /// The domain is used for SNI and hostname verification.
+    /// Defaults to `true`.
-    pub fn connect<S>(mut self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
+    pub fn use_server_name_indication(mut self, use_sni: bool) -> ConnectConfiguration {
-    where
+        self.sni = use_sni;
-        S: Read + Write,
+        self
    {
        self.0.set_hostname(domain)?;
        setup_verify_hostname(&mut self.0, domain)?;
        self.0.connect(stream)
    }
-    /// Initiates a client-side TLS session on a stream without performing hostname verification.
+    /// Configures the use of hostname verification when connecting.
    ///
-    /// The verification configuration of the connector's `SslContext` is not overridden.
+    /// Defaults to `true`.
    ///
    /// # Warning
    ///
    /// You should think very carefully before you use this method. If hostname verification is not
    /// used, *any* valid certificate for *any* site will be trusted for use from any other. This
    /// introduces a significant vulnerability to man-in-the-middle attacks.
    pub fn verify_hostname(mut self, verify_hostname: bool) -> ConnectConfiguration {
        self.verify_hostname = verify_hostname;
        self
    }
    /// Initiates a client-side TLS session on a stream.
    ///
    /// The domain is used for SNI and hostname verification if enabled.
    pub fn connect<S>(mut self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
    where
        S: Read + Write,
    {
        if self.sni {
            self.ssl.set_hostname(domain)?;
        }
        if self.verify_hostname {
            setup_verify_hostname(&mut self.ssl, domain)?;
        }
        self.ssl.connect(stream)
    }
    #[deprecated(
        since = "0.9.24",
        note = "use `ConnectConfiguration::verify_hostname` and `ConnectConfiguration::use_server_name_indication` instead")]
    pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<
        S,
    >(
@ -205,7 +228,7 @@ impl ConnectConfiguration {
    where
        S: Read + Write,
    {
-        self.0.connect(stream)
+        self.use_server_name_indication(false).verify_hostname(false).connect("", stream)
    }
 }
@ -213,13 +236,13 @@ impl Deref for ConnectConfiguration {
    type Target = SslRef;
    fn deref(&self) -> &SslRef {
-        &self.0
+        &self.ssl
    }
 }
 impl DerefMut for ConnectConfiguration {
    fn deref_mut(&mut self) -> &mut SslRef {
-        &mut self.0
+        &mut self.ssl
    }
 }
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@ -6,10 +6,10 @@ use std::io::prelude::*;
 use std::io::{self, BufReader};
 use std::iter;
 use std::mem;
-use std::net::{TcpStream, TcpListener, SocketAddr};
+use std::net::{SocketAddr, TcpListener, TcpStream};
 use std::path::Path;
-use std::process::{Command, Child, Stdio, ChildStdin};
+use std::process::{Child, ChildStdin, Command, Stdio};
-use std::sync::atomic::{AtomicBool, ATOMIC_BOOL_INIT, Ordering};
+use std::sync::atomic::{AtomicBool, Ordering, ATOMIC_BOOL_INIT};
 use std::thread;
 use std::time::Duration;
 use tempdir::TempDir;
@ -18,10 +18,9 @@ use dh::Dh;
 use hash::MessageDigest;
 use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED};
 use ssl;
-use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult,
+use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder,
-          SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE,
+          SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP};
-          STATUS_TYPE_OCSP};
+use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM};
 use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM};
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 use pkey::PKey;
@ -35,7 +34,7 @@ static CERT: &'static [u8] = include_bytes!("../../../test/cert.pem");
 static KEY: &'static [u8] = include_bytes!("../../../test/key.pem");
 fn next_addr() -> SocketAddr {
-    use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering};
+    use std::sync::atomic::{AtomicUsize, Ordering, ATOMIC_USIZE_INIT};
    static PORT: AtomicUsize = ATOMIC_USIZE_INIT;
    let port = 15411 + PORT.fetch_add(1, Ordering::SeqCst);
@ -104,15 +103,13 @@ impl Server {
    #[allow(dead_code)]
    fn new_alpn() -> (Server, TcpStream) {
-        Server::new_tcp(
+        Server::new_tcp(&[
            &[
            "-www",
            "-nextprotoneg",
            "http/1.1,spdy/3.1",
            "-alpn",
            "http/1.1,spdy/3.1",
-            ],
+        ])
        )
    }
 }
@ -157,10 +154,9 @@ macro_rules! run_test(
    );
 );
-run_test!(
+run_test!(new_ctx, |method, _| {
-    new_ctx,
+    SslContext::builder(method).unwrap();
-    |method, _| { SslContext::builder(method).unwrap(); }
+});
 );
 run_test!(verify_untrusted, |method, stream| {
    let mut ctx = SslContext::builder(method).unwrap();
@ -309,7 +305,7 @@ run_test!(verify_callback_data, |method, stream| {
 });
 run_test!(ssl_verify_callback, |method, stream| {
-    use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering};
+    use std::sync::atomic::{AtomicUsize, Ordering, ATOMIC_USIZE_INIT};
    static CHECKED: AtomicUsize = ATOMIC_USIZE_INIT;
@ -437,9 +433,9 @@ fn test_read() {
    let mut stream = Ssl::new(&ctx.build()).unwrap().connect(tcp).unwrap();
    stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap();
    stream.flush().unwrap();
-    io::copy(&mut stream, &mut io::sink()).ok().expect(
+    io::copy(&mut stream, &mut io::sink())
-        "read error",
+        .ok()
-    );
+        .expect("read error");
 }
 #[test]
@ -994,9 +990,8 @@ fn verify_valid_hostname() {
    ctx.set_verify(SSL_VERIFY_PEER);
    let mut ssl = Ssl::new(&ctx.build()).unwrap();
-    ssl.param_mut().set_hostflags(
+    ssl.param_mut()
-        X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    );
    ssl.param_mut().set_host("google.com").unwrap();
    let s = TcpStream::connect("google.com:443").unwrap();
@ -1019,9 +1014,8 @@ fn verify_invalid_hostname() {
    ctx.set_verify(SSL_VERIFY_PEER);
    let mut ssl = Ssl::new(&ctx.build()).unwrap();
-    ssl.param_mut().set_hostflags(
+    ssl.param_mut()
-        X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    );
    ssl.param_mut().set_host("foobar.com").unwrap();
    let s = TcpStream::connect("google.com:443").unwrap();
@ -1057,7 +1051,12 @@ fn connector_invalid_no_hostname_verification() {
    let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build();
    let s = TcpStream::connect("google.com:443").unwrap();
-    connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(s)
+    connector
        .configure()
        .unwrap()
        .use_server_name_indication(false)
        .verify_hostname(false)
        .connect("foobar.com", s)
        .unwrap();
 }
@ -1067,8 +1066,14 @@ fn connector_no_hostname_still_verifies() {
    let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build();
-    assert!(connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp)
+    assert!(
-        .is_err());
+        connector
            .configure()
            .unwrap()
            .verify_hostname(false)
            .connect("fizzbuzz.com", tcp)
            .is_err()
    );
 }
 #[test]
@ -1079,7 +1084,12 @@ fn connector_no_hostname_can_disable_verify() {
    connector.set_verify(SSL_VERIFY_NONE);
    let connector = connector.build();
-    connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap();
+    connector
        .configure()
        .unwrap()
        .verify_hostname(false)
        .connect("foobar.com", tcp)
        .unwrap();
 }
 #[test]
@ -1101,9 +1111,7 @@ fn connector_client_server_mozilla_intermediate() {
    });
    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
-    connector
+    connector.set_ca_file("test/root-ca.pem").unwrap();
        .set_ca_file("test/root-ca.pem")
        .unwrap();
    let connector = connector.build();
    let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
@ -1135,9 +1143,7 @@ fn connector_client_server_mozilla_modern() {
    });
    let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
-    connector
+    connector.set_ca_file("test/root-ca.pem").unwrap();
        .set_ca_file("test/root-ca.pem")
        .unwrap();
    let connector = connector.build();
    let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
@ -1239,7 +1245,8 @@ fn tmp_dh_callback() {
 }
 #[test]
-#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))), all(feature = "v102", ossl102)))]
+#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))),
          all(feature = "v102", ossl102)))]
 fn tmp_ecdh_callback() {
    use ec::EcKey;
    use nid;
@ -1306,7 +1313,8 @@ fn tmp_dh_callback_ssl() {
 }
 #[test]
-#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))), all(feature = "v102", ossl102)))]
+#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))),
          all(feature = "v102", ossl102)))]
 fn tmp_ecdh_callback_ssl() {
    use ec::EcKey;
    use nid;