min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #582 from bluejekyll/master 

add set_verify_cert_store() to ssl ctx
This commit is contained in:
Steven Fackler 2017-02-16 21:26:26 -08:00 committed by GitHub
parent e18d000f32 88740c1374
commit 5122b92f56
3 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
openssl-sys/src/lib.rs
View File

@ -1143,6 +1143,8 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: c_int = 65;
pub const SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 70;
pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71;
pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82;
#[cfg(not(any(ossl101, libressl)))]
pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106;
pub const SSL_MODE_ENABLE_PARTIAL_WRITE: c_long = 0x1;
pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 0x2;
@ -1349,6 +1351,11 @@ pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -
SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)
}
#[cfg(not(any(ossl101, libressl)))]
pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_STORE) -> c_long {
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void)
}
pub unsafe fn SSL_CTX_set_tlsext_servername_callback(ctx: *mut SSL_CTX,
cb: Option<extern fn()>)
-> c_long {

17
openssl/src/ssl/mod.rs
View File

@ -99,6 +99,8 @@ use ec::EcKeyRef;
use ec::EcKey;
use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError, X509Name};
use x509::store::{X509StoreBuilderRef, X509StoreRef};
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
use x509::store::X509Store;
#[cfg(any(ossl102, ossl110))]
use verify::X509VerifyParamRef;
use pkey::PKeyRef;
@ -652,6 +654,21 @@ impl SslContextBuilder {
}
}
/// Sets a custom X509Store for verifying peer certificates.
///
/// Requires the `v102` feature and OpenSSL 1.0.2, or the `v110` feature and OpenSSL 1.1.0.
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> {
unsafe {
// set0 will free, set1 increments, and then requires a free
let ptr = cert_store.as_ptr();
let result = try!(cvt(ffi::SSL_CTX_set0_verify_cert_store(self.as_ptr(), ptr) as c_int).map(|_|()));
mem::forget(cert_store);
Ok(result)
}
}
pub fn set_read_ahead(&mut self, read_ahead: bool) {
unsafe {
ffi::SSL_CTX_set_read_ahead(self.as_ptr(), read_ahead as c_long);

25
openssl/src/ssl/tests/mod.rs
View File

@ -173,9 +173,15 @@ macro_rules! run_test(
use ssl::SSL_VERIFY_PEER;
use hash::MessageDigest;
use x509::X509StoreContext;
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
use x509::X509;
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
use x509::store::X509StoreBuilder;
use hex::FromHex;
use foreign_types::ForeignTypeRef;
use super::Server;
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
use super::ROOT_CERT;
#[test]
fn sslv23() {
@ -221,6 +227,25 @@ run_test!(verify_trusted, |method, stream| {
}
});
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
run_test!(verify_trusted_with_set_cert, |method, stream| {
let x509 = X509::from_pem(ROOT_CERT).unwrap();
let mut store = X509StoreBuilder::new().unwrap();
store.add_cert(x509).unwrap();
let mut ctx = SslContext::builder(method).unwrap();
ctx.set_verify(SSL_VERIFY_PEER);
match ctx.set_verify_cert_store(store.build()) {
Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err),
}
match Ssl::new(&ctx.build()).unwrap().connect(stream) {
Ok(_) => (),
Err(err) => panic!("Expected success, got {:?}", err),
}
});
run_test!(verify_untrusted_callback_override_ok, |method, stream| {
let mut ctx = SslContext::builder(method).unwrap();
ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true);