From 34d700309cacee9340440c13f3a1f6f4799c5032 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 23 Dec 2017 14:33:54 -0800 Subject: [PATCH] Clean up 1.0.1 hostname verification --- openssl/src/dh.rs | 35 +++++++++------------- openssl/src/pkcs12.rs | 11 +++---- openssl/src/ssl/connector.rs | 58 ++++++++++++++---------------------- 3 files changed, 42 insertions(+), 62 deletions(-) diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 50d9da7b..35404b6c 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -95,7 +95,7 @@ mod compat { mod tests { use dh::Dh; use bn::BigNum; - use ssl::{SslMethod, SslContext}; + use ssl::{SslContext, SslMethod}; #[test] #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] @@ -113,30 +113,23 @@ mod tests { fn test_dh() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); let p = BigNum::from_hex_str( - "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435\ - E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF429\ - 6D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C02\ - 2E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF1230\ - 7F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9\ - A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251C\ - CACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE\ - 621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D227\ - 6E11715F693877FAD7EF09CADB094AE91E1A1597", + "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF\ + 4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B47\ + 58C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B6\ + 3ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5\ + 140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710\ + C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597", ).unwrap(); let g = BigNum::from_hex_str( - "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0\ - BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773\ - BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2D\ - DF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428E\ - BC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BF\ - FE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7\ - D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92\ - B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148\ - D47954515E2327CFEF98C582664B4C0F6CC41659", + "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED\ + 4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A\ + 57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5\ + 045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E\ + 052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67E\ + B6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659", ).unwrap(); let q = BigNum::from_hex_str( - "8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F\ - 5FBD3", + "8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3", ).unwrap(); let dh = Dh::from_params(p, g, q).unwrap(); ctx.set_tmp_dh(&dh).unwrap(); diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index 86111280..20422a28 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -75,7 +75,7 @@ impl Pkcs12 { ffi::init(); Pkcs12Builder { - nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, + nid_key: nid::UNDEF, //nid::PBE_WITHSHA1AND3_KEY_TRIPLEDES_CBC, nid_cert: nid::UNDEF, //nid::PBE_WITHSHA1AND40BITRC2_CBC, iter: ffi::PKCS12_DEFAULT_ITER, mac_iter: ffi::PKCS12_DEFAULT_ITER, @@ -147,16 +147,17 @@ impl Pkcs12Builder { password: &str, friendly_name: &str, pkey: &PKeyRef, - cert: &X509, + cert: &X509, // FIXME X509Ref ) -> Result { unsafe { let pass = CString::new(password).unwrap(); let friendly_name = CString::new(friendly_name).unwrap(); let pkey = pkey.as_ptr(); let cert = cert.as_ptr(); - let ca = self.ca.as_ref().map(|ca| ca.as_ptr()).unwrap_or( - ptr::null_mut(), - ); + let ca = self.ca + .as_ref() + .map(|ca| ca.as_ptr()) + .unwrap_or(ptr::null_mut()); let nid_key = self.nid_key.as_raw(); let nid_cert = self.nid_cert.as_raw(); diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index a91b46a1..cd02dc18 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -494,7 +494,7 @@ mod verify { } Err(_) => { if let Some(pattern) = name.dnsname() { - if matches_dns(pattern, domain, false) { + if matches_dns(pattern, domain) { return true; } } @@ -506,26 +506,25 @@ mod verify { } fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool { - if let Some(pattern) = subject_name.entries_by_nid(nid::COMMONNAME).next() { - let pattern = match str::from_utf8(pattern.data().as_slice()) { - Ok(pattern) => pattern, - Err(_) => return false, - }; + match subject_name.entries_by_nid(nid::COMMONNAME).next() { + Some(pattern) => { + let pattern = match str::from_utf8(pattern.data().as_slice()) { + Ok(pattern) => pattern, + Err(_) => return false, + }; - // Unlike with SANs, IP addresses in the subject name don't have a - // different encoding. We need to pass this down to matches_dns to - // disallow wildcard matches with bogus patterns like *.0.0.1 - let is_ip = domain.parse::().is_ok(); - - if matches_dns(&pattern, domain, is_ip) { - return true; + // Unlike SANs, IP addresses in the subject name don't have a + // different encoding. + match domain.parse::() { + Ok(ip) => pattern.parse::().ok().map_or(false, |pattern| pattern == ip), + Err(_) => matches_dns(pattern, domain), + } } + None => false, } - - false } - fn matches_dns(mut pattern: &str, mut hostname: &str, is_ip: bool) -> bool { + fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool { // first strip trailing . off of pattern and hostname to normalize if pattern.ends_with('.') { pattern = &pattern[..pattern.len() - 1]; @@ -534,12 +533,12 @@ mod verify { hostname = &hostname[..hostname.len() - 1]; } - matches_wildcard(pattern, hostname, is_ip).unwrap_or_else(|| pattern == hostname) + matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern == hostname) } - fn matches_wildcard(pattern: &str, hostname: &str, is_ip: bool) -> Option { - // IP addresses and internationalized domains can't involved in wildcards - if is_ip || pattern.starts_with("xn--") { + fn matches_wildcard(pattern: &str, hostname: &str) -> Option { + // internationalized domains can't involved in wildcards + if pattern.starts_with("xn--") { return None; } @@ -601,22 +600,9 @@ mod verify { } fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool { - match (expected, actual.len()) { - (&IpAddr::V4(ref addr), 4) => actual == addr.octets(), - (&IpAddr::V6(ref addr), 16) => { - let segments = [ - ((actual[0] as u16) << 8) | actual[1] as u16, - ((actual[2] as u16) << 8) | actual[3] as u16, - ((actual[4] as u16) << 8) | actual[5] as u16, - ((actual[6] as u16) << 8) | actual[7] as u16, - ((actual[8] as u16) << 8) | actual[9] as u16, - ((actual[10] as u16) << 8) | actual[11] as u16, - ((actual[12] as u16) << 8) | actual[13] as u16, - ((actual[14] as u16) << 8) | actual[15] as u16, - ]; - segments == addr.segments() - } - _ => false, + match *expected { + IpAddr::V4(ref addr) => actual == addr.octets(), + IpAddr::V6(ref addr) => actual == addr.octets(), } } }