From 080050e10d7f1b00e164e4cb047ffc323f5d6fc9 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Tue, 18 Oct 2016 21:52:49 -0700
Subject: [PATCH 1/3] Drop lifetime on GeneralNames

---
 openssl/src/x509/mod.rs | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index e801b1da..de74a236 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -406,7 +406,7 @@ impl<'a> X509Ref<'a> {
     }
 
     /// Returns this certificate's SAN entries, if they exist.
-    pub fn subject_alt_names<'b>(&'b self) -> Option<GeneralNames<'b>> {
+    pub fn subject_alt_names(&self) -> Option<GeneralNames> {
         unsafe {
             let stack = ffi::X509_get_ext_d2i(self.0,
                                               Nid::SubjectAltName as c_int,
@@ -418,7 +418,6 @@ impl<'a> X509Ref<'a> {
 
             Some(GeneralNames {
                 stack: stack as *mut _,
-                m: PhantomData,
             })
         }
     }
@@ -763,14 +762,12 @@ make_validation_error!(X509_V_OK,
     X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION,
 );
 
-// FIXME remove lifetime param for 0.9
 /// A collection of OpenSSL `GENERAL_NAME`s.
-pub struct GeneralNames<'a> {
+pub struct GeneralNames {
     stack: *mut ffi::stack_st_GENERAL_NAME,
-    m: PhantomData<&'a ()>,
 }
 
-impl<'a> Drop for GeneralNames<'a> {
+impl Drop for GeneralNames {
     #[cfg(ossl10x)]
     fn drop(&mut self) {
         unsafe {
@@ -792,7 +789,7 @@ impl<'a> Drop for GeneralNames<'a> {
     }
 }
 
-impl<'a> GeneralNames<'a> {
+impl GeneralNames {
     /// Returns the number of `GeneralName`s in this structure.
     pub fn len(&self) -> usize {
         self._len()
@@ -813,7 +810,7 @@ impl<'a> GeneralNames<'a> {
     /// # Panics
     ///
     /// Panics if `idx` is not less than `len()`.
-    pub fn get(&self, idx: usize) -> GeneralName<'a> {
+    pub fn get<'a>(&'a self, idx: usize) -> GeneralName<'a> {
         unsafe {
             assert!(idx < self.len());
             GeneralName {
@@ -842,7 +839,7 @@ impl<'a> GeneralNames<'a> {
     }
 }
 
-impl<'a> IntoIterator for &'a GeneralNames<'a> {
+impl<'a> IntoIterator for &'a GeneralNames {
     type Item = GeneralName<'a>;
     type IntoIter = GeneralNamesIter<'a>;
 
@@ -853,7 +850,7 @@ impl<'a> IntoIterator for &'a GeneralNames<'a> {
 
 /// An iterator over OpenSSL `GENERAL_NAME`s.
 pub struct GeneralNamesIter<'a> {
-    names: &'a GeneralNames<'a>,
+    names: &'a GeneralNames,
     idx: usize,
 }
 

From cfd5192a7d44b8d6c77e57f091887a6a00a166db Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Tue, 18 Oct 2016 22:10:37 -0700
Subject: [PATCH 2/3] De-enumify X509ValidationError

Also make it an Error.

Closes #352.
---
 openssl-sys/src/lib.rs  |   1 +
 openssl/src/x509/mod.rs | 145 +++++++++++++++++-----------------------
 2 files changed, 62 insertions(+), 84 deletions(-)

diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index aae2540c..33abad21 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -731,6 +731,7 @@ extern {
     pub fn X509_sign(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
     pub fn X509_get_pubkey(x: *mut X509) -> *mut EVP_PKEY;
     pub fn X509_to_X509_REQ(x: *mut X509, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> *mut X509_REQ;
+    pub fn X509_verify_cert_error_string(n: c_long) -> *const c_char;
 
     pub fn X509_EXTENSION_free(ext: *mut X509_EXTENSION);
 
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index de74a236..50d75d63 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -1,14 +1,15 @@
 use libc::{c_char, c_int, c_long, c_ulong, c_void};
 use std::cmp;
-use std::ffi::CString;
-use std::mem;
-use std::ptr;
-use std::ops::Deref;
-use std::fmt;
-use std::str;
-use std::slice;
 use std::collections::HashMap;
+use std::error::Error;
+use std::ffi::{CStr, CString};
+use std::fmt;
 use std::marker::PhantomData;
+use std::mem;
+use std::ops::Deref;
+use std::ptr;
+use std::slice;
+use std::str;
 
 use {cvt, cvt_p};
 use asn1::Asn1Time;
@@ -100,14 +101,19 @@ impl X509StoreContext {
     }
 
     pub fn error(&self) -> Option<X509ValidationError> {
-        let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) };
-        X509ValidationError::from_raw(err)
+        unsafe {
+            let err = ffi::X509_STORE_CTX_get_error(self.ctx) as c_long;
+            if err == ffi::X509_V_OK as c_long {
+                None
+            } else {
+                Some(X509ValidationError::from_raw(err))
+            }
+        }
     }
 
     pub fn current_cert<'a>(&'a self) -> Option<X509Ref<'a>> {
         unsafe {
             let ptr = ffi::X509_STORE_CTX_get_current_cert(self.ctx);
-
             if ptr.is_null() {
                 None
             } else {
@@ -685,82 +691,53 @@ impl<'a> Iterator for ExtensionsIter<'a> {
     }
 }
 
-macro_rules! make_validation_error(
-    ($ok_val:ident, $($name:ident = $val:ident,)+) => (
-        #[derive(Copy, Clone)]
-        pub enum X509ValidationError {
-            $($name,)+
-            X509UnknownError(c_int)
-        }
+pub struct X509ValidationError(c_long);
 
-        impl X509ValidationError {
-            #[doc(hidden)]
-            pub fn from_raw(err: c_int) -> Option<X509ValidationError> {
-                match err {
-                    ffi::$ok_val => None,
-                    $(ffi::$val => Some(X509ValidationError::$name),)+
-                    err => Some(X509ValidationError::X509UnknownError(err))
-                }
-            }
-        }
-    )
-);
+impl fmt::Debug for X509ValidationError {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.debug_struct("X509ValidationError")
+            .field("code", &self.0)
+            .field("error", &self.error_string())
+            .finish()
+    }
+}
 
-make_validation_error!(X509_V_OK,
-    X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
-    X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL,
-    X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
-    X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
-    X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
-    X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE,
-    X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE,
-    X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID,
-    X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED,
-    X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID,
-    X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED,
-    X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
-    X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
-    X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
-    X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
-    X509OutOfMem = X509_V_ERR_OUT_OF_MEM,
-    X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
-    X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
-    X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
-    X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
-    X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG,
-    X509CertRevoked = X509_V_ERR_CERT_REVOKED,
-    X509InvalidCA = X509_V_ERR_INVALID_CA,
-    X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED,
-    X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE,
-    X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED,
-    X509CertRejected = X509_V_ERR_CERT_REJECTED,
-    X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
-    X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH,
-    X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
-    X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
-    X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER,
-    X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION,
-    X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN,
-    X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION,
-    X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA,
-    X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED,
-    X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE,
-    X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED,
-    X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION,
-    X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION,
-    X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY,
-    X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE,
-    X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE,
-    X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE,
-    X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION,
-    X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION,
-    X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX,
-    X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE,
-    X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX,
-    X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
-    X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR,
-    X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION,
-);
+impl fmt::Display for X509ValidationError {
+    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
+        fmt.write_str(self.error_string())
+    }
+}
+
+impl Error for X509ValidationError {
+    fn description(&self) -> &str {
+        "an X509 validation error"
+    }
+}
+
+impl X509ValidationError {
+    /// Creates an `X509ValidationError` from a raw error number.
+    ///
+    /// # Safety
+    ///
+    /// Some methods on `X509ValidationError` are not thread safe if the error
+    /// number is invalid.
+    pub unsafe fn from_raw(err: c_long) -> X509ValidationError {
+        X509ValidationError(err)
+    }
+
+    pub fn as_raw(&self) -> c_long {
+        self.0
+    }
+
+    pub fn error_string(&self) -> &'static str {
+        ffi::init();
+
+        unsafe {
+            let s = ffi::X509_verify_cert_error_string(self.0);
+            str::from_utf8(CStr::from_ptr(s).to_bytes()).unwrap()
+        }
+    }
+}
 
 /// A collection of OpenSSL `GENERAL_NAME`s.
 pub struct GeneralNames {

From 5ab037f056174b4d69024f58fe42cf0c41a34db6 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Tue, 18 Oct 2016 22:18:09 -0700
Subject: [PATCH 3/3] Allow the X509 verify error to be read from an SslRef

---
 openssl-sys/src/lib.rs  |  3 ++-
 openssl/src/ssl/mod.rs  |  9 ++++++++-
 openssl/src/x509/mod.rs | 35 ++++++++++++++++++-----------------
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 33abad21..4c8d63ca 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -647,7 +647,8 @@ extern {
     pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char;
     pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER;
     #[cfg(not(ossl101))]
-    pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM;
+    pub fn SSL_get0_param(ssl: *mut SSL) -> *mut X509_VERIFY_PARAM;
+    pub fn SSL_get_verify_result(ssl: *const SSL) -> c_long;
 
     #[cfg(not(osslconf = "OPENSSL_NO_COMP"))]
     pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char;
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index fafac45c..d7adb43f 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -21,7 +21,7 @@ use ffi;
 
 use {init, cvt, cvt_p};
 use dh::DH;
-use x509::{X509StoreContext, X509FileType, X509, X509Ref};
+use x509::{X509StoreContext, X509FileType, X509, X509Ref, X509VerifyError};
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 use x509::verify::X509VerifyParamRef;
 use crypto::pkey::PKey;
@@ -1007,6 +1007,13 @@ impl<'a> SslRef<'a> {
             X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr()))
         }
     }
+
+    /// Returns the result of X509 certificate verification.
+    pub fn verify_result(&self) -> Option<X509VerifyError> {
+        unsafe {
+            X509VerifyError::from_raw(ffi::SSL_get_verify_result(self.0))
+        }
+    }
 }
 
 pub struct Ssl(SslRef<'static>);
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 50d75d63..7f891231 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -100,14 +100,9 @@ impl X509StoreContext {
         X509StoreContext { ctx: ctx }
     }
 
-    pub fn error(&self) -> Option<X509ValidationError> {
+    pub fn error(&self) -> Option<X509VerifyError> {
         unsafe {
-            let err = ffi::X509_STORE_CTX_get_error(self.ctx) as c_long;
-            if err == ffi::X509_V_OK as c_long {
-                None
-            } else {
-                Some(X509ValidationError::from_raw(err))
-            }
+            X509VerifyError::from_raw(ffi::X509_STORE_CTX_get_error(self.ctx) as c_long)
         }
     }
 
@@ -691,38 +686,44 @@ impl<'a> Iterator for ExtensionsIter<'a> {
     }
 }
 
-pub struct X509ValidationError(c_long);
+pub struct X509VerifyError(c_long);
 
-impl fmt::Debug for X509ValidationError {
+impl fmt::Debug for X509VerifyError {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        fmt.debug_struct("X509ValidationError")
+        fmt.debug_struct("X509VerifyError")
             .field("code", &self.0)
             .field("error", &self.error_string())
             .finish()
     }
 }
 
-impl fmt::Display for X509ValidationError {
+impl fmt::Display for X509VerifyError {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
         fmt.write_str(self.error_string())
     }
 }
 
-impl Error for X509ValidationError {
+impl Error for X509VerifyError {
     fn description(&self) -> &str {
         "an X509 validation error"
     }
 }
 
-impl X509ValidationError {
-    /// Creates an `X509ValidationError` from a raw error number.
+impl X509VerifyError {
+    /// Creates an `X509VerifyError` from a raw error number.
+    ///
+    /// `None` will be returned if `err` is `X509_V_OK`.
     ///
     /// # Safety
     ///
-    /// Some methods on `X509ValidationError` are not thread safe if the error
+    /// Some methods on `X509VerifyError` are not thread safe if the error
     /// number is invalid.
-    pub unsafe fn from_raw(err: c_long) -> X509ValidationError {
-        X509ValidationError(err)
+    pub unsafe fn from_raw(err: c_long) -> Option<X509VerifyError> {
+        if err == ffi::X509_V_OK as c_long {
+            None
+        } else {
+            Some(X509VerifyError(err))
+        }
     }
 
     pub fn as_raw(&self) -> c_long {