From 129b6b9d847692810cebee52bd7f059f19ead0d2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 26 Dec 2017 14:20:51 -0700 Subject: [PATCH 1/3] Overhaul verify error type Also set the error in the hostname verification callback for 1.0.1 --- openssl-sys/src/lib.rs | 273 ++++++++++++++++++----------------- openssl-sys/src/ossl10x.rs | 234 ++++++++++-------------------- openssl-sys/src/ossl110.rs | 10 +- openssl/examples/mk_certs.rs | 7 +- openssl/src/ssl/connector.rs | 51 +++---- openssl/src/ssl/error.rs | 6 +- openssl/src/ssl/mod.rs | 16 +- openssl/src/ssl/tests/mod.rs | 8 +- openssl/src/x509/mod.rs | 52 +++---- openssl/src/x509/tests.rs | 6 +- 10 files changed, 301 insertions(+), 362 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index e2f7c830..2040358a 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,10 +1,10 @@ #![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)] #![allow(dead_code, overflowing_literals)] -#![doc(html_root_url="https://docs.rs/openssl-sys/0.9")] +#![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")] extern crate libc; -use libc::{c_void, c_int, c_char, c_ulong, c_long, c_uint, c_uchar, size_t, FILE}; +use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t, FILE}; use std::ptr; use std::mem; @@ -65,33 +65,21 @@ pub enum BN_BLINDING {} pub enum DSA_METHOD {} pub enum EVP_PKEY_ASN1_METHOD {} -pub type bio_info_cb = Option< - unsafe extern "C" fn(*mut BIO, - c_int, - *const c_char, - c_int, - c_long, - c_long), ->; -pub type GEN_SESSION_CB = Option< - unsafe extern "C" fn(*const SSL, *mut c_uchar, *mut c_uint) - -> c_int, ->; -pub type tls_session_ticket_ext_cb_fn = Option< - unsafe extern "C" fn(*mut SSL, - *const c_uchar, - c_int, - *mut c_void) - -> c_int, ->; +pub type bio_info_cb = + Option; +pub type GEN_SESSION_CB = + Option c_int>; +pub type tls_session_ticket_ext_cb_fn = + Option c_int>; pub type tls_session_secret_cb_fn = Option< - unsafe extern "C" fn(*mut SSL, - *mut c_void, - *mut c_int, - *mut stack_st_SSL_CIPHER, - *mut *mut SSL_CIPHER, - *mut c_void) - -> c_int, + unsafe extern "C" fn( + *mut SSL, + *mut c_void, + *mut c_int, + *mut stack_st_SSL_CIPHER, + *mut *mut SSL_CIPHER, + *mut c_void, + ) -> c_int, >; #[repr(C)] @@ -167,31 +155,33 @@ pub type BN_ULONG = libc::c_ulonglong; #[cfg(target_pointer_width = "32")] pub type BN_ULONG = c_uint; -pub type CRYPTO_EX_new = unsafe extern "C" fn(parent: *mut c_void, - ptr: *mut c_void, - ad: *const CRYPTO_EX_DATA, - idx: c_int, - argl: c_long, - argp: *const c_void) - -> c_int; -pub type CRYPTO_EX_dup = unsafe extern "C" fn(to: *mut CRYPTO_EX_DATA, - from: *mut CRYPTO_EX_DATA, - from_d: *mut c_void, - idx: c_int, - argl: c_long, - argp: *mut c_void) - -> c_int; -pub type CRYPTO_EX_free = unsafe extern "C" fn(parent: *mut c_void, - ptr: *mut c_void, - ad: *mut CRYPTO_EX_DATA, - idx: c_int, - argl: c_long, - argp: *mut c_void); -pub type PasswordCallback = unsafe extern "C" fn(buf: *mut c_char, - size: c_int, - rwflag: c_int, - user_data: *mut c_void) - -> c_int; +pub type CRYPTO_EX_new = unsafe extern "C" fn( + parent: *mut c_void, + ptr: *mut c_void, + ad: *const CRYPTO_EX_DATA, + idx: c_int, + argl: c_long, + argp: *const c_void, +) -> c_int; +pub type CRYPTO_EX_dup = unsafe extern "C" fn( + to: *mut CRYPTO_EX_DATA, + from: *mut CRYPTO_EX_DATA, + from_d: *mut c_void, + idx: c_int, + argl: c_long, + argp: *mut c_void, +) -> c_int; +pub type CRYPTO_EX_free = unsafe extern "C" fn( + parent: *mut c_void, + ptr: *mut c_void, + ad: *mut CRYPTO_EX_DATA, + idx: c_int, + argl: c_long, + argp: *mut c_void, +); +pub type PasswordCallback = + unsafe extern "C" fn(buf: *mut c_char, size: c_int, rwflag: c_int, user_data: *mut c_void) + -> c_int; pub type SHA_LONG = c_uint; pub type SHA_LONG64 = u64; @@ -1265,9 +1255,9 @@ pub const SSL_OP_SAFARI_ECDHE_ECDSA_BUG: c_ulong = 0x00000040; #[cfg(not(any(libressl, ossl110f)))] pub const SSL_OP_ALL: c_ulong = 0x80000BFF; #[cfg(ossl110f)] -pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | - SSL_OP_LEGACY_SERVER_CONNECT | SSL_OP_TLSEXT_PADDING | - SSL_OP_SAFARI_ECDHE_ECDSA_BUG; +pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + | SSL_OP_LEGACY_SERVER_CONNECT | SSL_OP_TLSEXT_PADDING + | SSL_OP_SAFARI_ECDHE_ECDSA_BUG; pub const SSL_OP_NO_QUERY_MTU: c_ulong = 0x00001000; pub const SSL_OP_COOKIE_EXCHANGE: c_ulong = 0x00002000; pub const SSL_OP_NO_TICKET: c_ulong = 0x00004000; @@ -1291,8 +1281,8 @@ pub const SSL_OP_NO_DTLSv1: c_ulong = 0x04000000; #[cfg(not(any(ossl101, libressl)))] pub const SSL_OP_NO_DTLSv1_2: c_ulong = 0x08000000; #[cfg(not(any(ossl101, libressl)))] -pub const SSL_OP_NO_SSL_MASK: c_ulong = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | - SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; +pub const SSL_OP_NO_SSL_MASK: c_ulong = + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; pub const TLSEXT_NAMETYPE_host_name: c_int = 0; @@ -1313,60 +1303,82 @@ pub const V_ASN1_UTCTIME: c_int = 23; pub const X509_FILETYPE_ASN1: c_int = 2; pub const X509_FILETYPE_DEFAULT: c_int = 3; pub const X509_FILETYPE_PEM: c_int = 1; -pub const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; -pub const X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; -pub const X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; -pub const X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; -pub const X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; -pub const X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; -pub const X509_V_ERR_CERT_REJECTED: c_int = 28; -pub const X509_V_ERR_CERT_REVOKED: c_int = 23; -pub const X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; -pub const X509_V_ERR_CERT_UNTRUSTED: c_int = 27; -pub const X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; -pub const X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; -pub const X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; -pub const X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; -pub const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; -pub const X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; -pub const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; -pub const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; -pub const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; -pub const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; -pub const X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; -pub const X509_V_ERR_INVALID_CA: c_int = 24; -pub const X509_V_ERR_INVALID_EXTENSION: c_int = 41; -pub const X509_V_ERR_INVALID_NON_CA: c_int = 37; -pub const X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; -pub const X509_V_ERR_INVALID_PURPOSE: c_int = 26; -pub const X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; -pub const X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; -pub const X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; -pub const X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; -pub const X509_V_ERR_OUT_OF_MEM: c_int = 17; -pub const X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; -pub const X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; -pub const X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; -pub const X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; -pub const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; -pub const X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; -pub const X509_V_ERR_SUBTREE_MINMAX: c_int = 49; -pub const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; + +pub const X509_V_OK: c_int = 0; +pub const X509_V_ERR_UNSPECIFIED: c_int = 1; +pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; +pub const X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; pub const X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; pub const X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; -pub const X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; -pub const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; -pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; +pub const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; +pub const X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; +pub const X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; +pub const X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; +pub const X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; +pub const X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; +pub const X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; +pub const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; +pub const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; +pub const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; +pub const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; +pub const X509_V_ERR_OUT_OF_MEM: c_int = 17; +pub const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; +pub const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; pub const X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; -pub const X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; +pub const X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; +pub const X509_V_ERR_CERT_REVOKED: c_int = 23; +pub const X509_V_ERR_INVALID_CA: c_int = 24; +pub const X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; +pub const X509_V_ERR_INVALID_PURPOSE: c_int = 26; +pub const X509_V_ERR_CERT_UNTRUSTED: c_int = 27; +pub const X509_V_ERR_CERT_REJECTED: c_int = 28; +pub const X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; +pub const X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; +pub const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; +pub const X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; +pub const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; pub const X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; -pub const X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; -pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; -pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; +pub const X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; +pub const X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; +pub const X509_V_ERR_INVALID_NON_CA: c_int = 37; +pub const X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; +pub const X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; +pub const X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; +pub const X509_V_ERR_INVALID_EXTENSION: c_int = 41; +pub const X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; +pub const X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; +pub const X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; +pub const X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; +pub const X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; +pub const X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; +pub const X509_V_ERR_SUBTREE_MINMAX: c_int = 49; +pub const X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; +pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; +pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; -pub const X509_V_OK: c_int = 0; +pub const X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; + +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_INVALID_VERSION: c_int = 56; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_INVALID_ALGORITHM: c_int = 57; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_INVALID_CURVE: c_int = 58; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: c_int = 59; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: c_int = 60; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: c_int = 61; + +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_HOSTNAME_MISMATCH: c_int = 62; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_EMAIL_MISMATCH: c_int = 63; +#[cfg(not(any(ossl101, libressl)))] +pub const X509_V_ERR_IP_ADDRESS_MISMATCH: c_int = 64; #[cfg(not(any(ossl101, libressl)))] pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; @@ -2425,35 +2437,32 @@ extern "C" { pub fn SSL_CTX_set_next_protos_advertised_cb( ssl: *mut SSL_CTX, - cb: extern "C" fn(ssl: *mut SSL, - out: *mut *const c_uchar, - outlen: *mut c_uint, - arg: *mut c_void) - -> c_int, + cb: extern "C" fn( + ssl: *mut SSL, + out: *mut *const c_uchar, + outlen: *mut c_uint, + arg: *mut c_void, + ) -> c_int, arg: *mut c_void, ); pub fn SSL_CTX_set_next_proto_select_cb( ssl: *mut SSL_CTX, - cb: extern "C" fn(ssl: *mut SSL, - out: *mut *mut c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - arg: *mut c_void) - -> c_int, + cb: extern "C" fn( + ssl: *mut SSL, + out: *mut *mut c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + arg: *mut c_void, + ) -> c_int, arg: *mut c_void, ); #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] pub fn SSL_CTX_set_psk_client_callback( ssl: *mut SSL_CTX, psk_client_cb: Option< - extern "C" fn(*mut SSL, - *const c_char, - *mut c_char, - c_uint, - *mut c_uchar, - c_uint) - -> c_uint, + extern "C" fn(*mut SSL, *const c_char, *mut c_char, c_uint, *mut c_uchar, c_uint) + -> c_uint, >, ); pub fn SSL_select_next_proto( @@ -2488,13 +2497,14 @@ extern "C" { #[cfg(not(ossl101))] pub fn SSL_CTX_set_alpn_select_cb( ssl: *mut SSL_CTX, - cb: extern "C" fn(ssl: *mut SSL, - out: *mut *const c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - arg: *mut c_void) - -> c_int, + cb: extern "C" fn( + ssl: *mut SSL, + out: *mut *const c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + arg: *mut c_void, + ) -> c_int, arg: *mut c_void, ); #[cfg(not(ossl101))] @@ -2556,6 +2566,7 @@ extern "C" { pub fn X509_STORE_CTX_free(ctx: *mut X509_STORE_CTX); pub fn X509_STORE_CTX_get_current_cert(ctx: *mut X509_STORE_CTX) -> *mut X509; pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; + pub fn X509_STORE_CTX_set_error(ctx: *mut X509_STORE_CTX, error: c_int); pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) -> *mut c_void; pub fn X509_STORE_CTX_get_error_depth(ctx: *mut X509_STORE_CTX) -> c_int; diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs index b5adb828..8bf5e35b 100644 --- a/openssl-sys/src/ossl10x.rs +++ b/openssl-sys/src/ossl10x.rs @@ -5,7 +5,7 @@ use std::ptr; use std::process; use std::io::{self, Write}; -use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong}; +use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t}; #[cfg(not(ossl101))] use libc::time_t; @@ -144,13 +144,7 @@ pub struct EVP_PKEY { pub struct BIO { pub method: *mut ::BIO_METHOD, pub callback: Option< - unsafe extern "C" fn(*mut ::BIO, - c_int, - *const c_char, - c_int, - c_long, - c_long) - -> c_long, + unsafe extern "C" fn(*mut ::BIO, c_int, *const c_char, c_int, c_long, c_long) -> c_long, >, pub cb_arg: *mut c_char, pub init: c_int, @@ -191,18 +185,10 @@ pub struct EVP_CIPHER { pub iv_len: c_int, pub flags: c_ulong, pub init: Option< - unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, - *const c_uchar, - *const c_uchar, - c_int) - -> c_int, + unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, *const c_uchar, *const c_uchar, c_int) -> c_int, >, pub do_cipher: Option< - unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, - *mut c_uchar, - *const c_uchar, - size_t) - -> c_int, + unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, *mut c_uchar, *const c_uchar, size_t) -> c_int, >, pub cleanup: Option c_int>, pub ctx_size: c_int, @@ -277,12 +263,9 @@ pub struct X509 { crldp: *mut c_void, altname: *mut c_void, nc: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] - rfc3779_addr: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] - rfc3779_asid: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_SHA"))] - sha1_hash: [c_uchar; 20], + #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] rfc3779_addr: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] rfc3779_asid: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_SHA"))] sha1_hash: [c_uchar; 20], aux: *mut c_void, } @@ -365,13 +348,7 @@ pub struct SSL { d1: *mut c_void, read_ahead: c_int, msg_callback: Option< - unsafe extern "C" fn(c_int, - c_int, - c_int, - *const c_void, - size_t, - *mut SSL, - *mut c_void), + unsafe extern "C" fn(c_int, c_int, c_int, *const c_void, size_t, *mut SSL, *mut c_void), >, msg_callback_arg: *mut c_void, hit: c_int, @@ -395,17 +372,11 @@ pub struct SSL { info_callback: Option, error: c_int, error_code: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] - kssl_ctx: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] kssl_ctx: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_client_callback: Option< - unsafe extern "C" fn(*mut SSL, - *const c_char, - *mut c_char, - c_uint, - *mut c_uchar, - c_uint) - -> c_uint, + unsafe extern "C" fn(*mut SSL, *const c_char, *mut c_char, c_uint, *mut c_uchar, c_uint) + -> c_uint, >, #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_server_callback: @@ -425,26 +396,16 @@ pub struct SSL { #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_debug_cb: Option, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_debug_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_hostname: *mut c_char, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - servername_done: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_status_type: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_status_expected: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ocsp_ids: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ocsp_exts: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ocsp_resp: *mut c_uchar, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ocsp_resplen: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ticket_expected: c_int, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_debug_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hostname: *mut c_char, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] servername_done: c_int, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_type: c_int, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_expected: c_int, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_ids: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_exts: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_resp: *mut c_uchar, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_resplen: c_int, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticket_expected: c_int, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] tlsext_ecpointformatlist_length: size_t, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] @@ -453,43 +414,28 @@ pub struct SSL { tlsext_ellipticcurvelist_length: size_t, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] tlsext_ellipticcurvelist: *mut c_uchar, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_opaque_prf_input: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_opaque_prf_input_len: size_t, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_session_ticket: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_len: size_t, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_session_ticket: *mut c_void, #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tls_session_ticket_ext_cb_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tls_session_secret_cb: ::tls_session_secret_cb_fn, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tls_session_secret_cb_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - initial_ctx: *mut ::SSL_CTX, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_ticket_ext_cb_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb: ::tls_session_secret_cb_fn, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] initial_ctx: *mut ::SSL_CTX, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))] next_proto_negotiated: *mut c_uchar, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))] next_proto_negotiated_len: c_uchar, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - srtp_profiles: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - srtp_profile: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_heartbeat: c_uint, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_hb_pending: c_uint, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_hb_seq: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] srtp_profiles: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] srtp_profile: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_heartbeat: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hb_pending: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hb_seq: c_uint, renegotiate: c_int, - #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] - srp_ctx: ::SRP_CTX, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_client_proto_list: *mut c_uchar, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_client_proto_list_len: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_ctx: ::SRP_CTX, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_uchar, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list_len: c_uint, } #[repr(C)] @@ -540,46 +486,28 @@ pub struct SSL_CTX { quiet_shutdown: c_int, max_send_fragment: c_uint, - #[cfg(not(osslconf = "OPENSSL_NO_ENGINE"))] - client_cert_engine: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_ENGINE"))] client_cert_engine: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_servername_callback: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsect_servername_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_tick_key_name: [c_uchar; 16], - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_tick_hmac_key: [c_uchar; 16], - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_tick_aes_key: [c_uchar; 16], - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ticket_key_cb: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_status_cb: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_status_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_opaque_prf_input_callback: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_opaque_prf_input_callback_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_servername_callback: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsect_servername_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_key_name: [c_uchar; 16], + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_hmac_key: [c_uchar; 16], + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_aes_key: [c_uchar; 16], + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticket_key_cb: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_cb: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_arg: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_callback: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_callback_arg: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - psk_identity_hint: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - psk_client_callback: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - psk_server_callback: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity_hint: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_client_callback: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_server_callback: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] - freelist_max_len: c_uint, - #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] - wbuf_freelist: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] - rbuf_freelist: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] freelist_max_len: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] wbuf_freelist: *mut c_void, + #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] rbuf_freelist: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] - srp_ctx: SRP_CTX, + #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_ctx: SRP_CTX, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))] next_protos_advertised_cb: *mut c_void, @@ -590,19 +518,13 @@ pub struct SSL_CTX { #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))] next_proto_select_cb_arg: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl101))] - srtp_profiles: *mut c_void, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl101))] srtp_profiles: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - srtp_profiles: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_select_cb: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_select_cb_arg: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_client_proto_list: *mut c_void, - #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] - alpn_client_proto_list_len: c_uint, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] srtp_profiles: *mut c_void, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_select_cb: *mut c_void, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_select_cb_arg: *mut c_void, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_void, + #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list_len: c_uint, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC"), ossl102))] tlsext_ecpointformatlist_length: size_t, @@ -625,14 +547,11 @@ pub struct SSL_SESSION { session_id: [c_uchar; SSL_MAX_SSL_SESSION_ID_LENGTH as usize], sid_ctx_length: c_uint, sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize], - #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] - krb5_client_princ_len: c_uint, + #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] krb5_client_princ_len: c_uint, #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] krb5_client_princ: [c_uchar; SSL_MAX_KRB5_PRINCIPAL_LENGTH as usize], - #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - psk_identity_hint: *mut c_char, - #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - psk_identity: *mut c_char, + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity_hint: *mut c_char, + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity: *mut c_char, not_resumable: c_int, sess_cert: *mut c_void, peer: *mut X509, @@ -647,8 +566,7 @@ pub struct SSL_SESSION { ex_data: ::CRYPTO_EX_DATA, prev: *mut c_void, next: *mut c_void, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_hostname: *mut c_char, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hostname: *mut c_char, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] tlsext_ecpointformatlist_length: size_t, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] @@ -657,14 +575,10 @@ pub struct SSL_SESSION { tlsext_ellipticcurvelist_length: size_t, #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))] tlsext_ellipticcurvelist: *mut c_uchar, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_tick: *mut c_uchar, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_ticklen: size_t, - #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] - tlsext_tick_lifetime_hint: c_long, - #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] - srp_username: *mut c_char, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick: *mut c_uchar, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticklen: size_t, + #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_lifetime_hint: c_long, + #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_username: *mut c_char, } #[repr(C)] @@ -738,9 +652,13 @@ pub const CRYPTO_LOCK_X509: c_int = 3; pub const CRYPTO_LOCK_SSL_CTX: c_int = 12; pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14; +pub const X509_V_ERR_INVALID_CALL: c_int = 65; +pub const X509_V_ERR_STORE_LOOKUP: c_int = 66; +pub const X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: c_int = 67; + static mut MUTEXES: *mut Vec> = 0 as *mut Vec>; -static mut GUARDS: *mut Vec>> = 0 as - *mut Vec>>; +static mut GUARDS: *mut Vec>> = + 0 as *mut Vec>>; unsafe extern "C" fn locking_function(mode: c_int, n: c_int, _file: *const c_char, _line: c_int) { let mutex = &(*MUTEXES)[n as usize]; @@ -896,7 +814,7 @@ extern "C" { pub fn SSL_set_tmp_ecdh_callback( ssl: *mut ::SSL, ecdh: unsafe extern "C" fn(ssl: *mut ::SSL, is_export: c_int, keylength: c_int) - -> *mut ::EC_KEY, + -> *mut ::EC_KEY, ); pub fn SSL_CIPHER_get_version(cipher: *const ::SSL_CIPHER) -> *mut c_char; pub fn SSL_CTX_get_ex_new_index( @@ -909,7 +827,7 @@ extern "C" { pub fn SSL_CTX_set_tmp_ecdh_callback( ctx: *mut ::SSL_CTX, ecdh: unsafe extern "C" fn(ssl: *mut ::SSL, is_export: c_int, keylength: c_int) - -> *mut ::EC_KEY, + -> *mut ::EC_KEY, ); pub fn X509_get_subject_name(x: *mut ::X509) -> *mut ::X509_NAME; pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int; diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index fabfb2b6..8b862443 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -1,4 +1,4 @@ -use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t}; +use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t}; use std::sync::{Once, ONCE_INIT}; use std::ptr; @@ -55,6 +55,14 @@ pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; pub const OPENSSL_INIT_LOAD_SSL_STRINGS: u64 = 0x00200000; +pub const X509_V_ERR_DANE_NO_MATCH: c_int = 65; +pub const X509_V_ERR_EE_KEY_TOO_SMALL: c_int = 66; +pub const X509_V_ERR_CA_KEY_TOO_SMALL: c_int = 67; +pub const X509_V_ERR_CA_MD_TOO_WEAK: c_int = 68; +pub const X509_V_ERR_INVALID_CALL: c_int = 69; +pub const X509_V_ERR_STORE_LOOKUP: c_int = 70; +pub const X509_V_ERR_NO_VALID_SCTS: c_int = 71; + pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; pub fn init() { diff --git a/openssl/examples/mk_certs.rs b/openssl/examples/mk_certs.rs index 1dcdef25..c4edba75 100644 --- a/openssl/examples/mk_certs.rs +++ b/openssl/examples/mk_certs.rs @@ -9,8 +9,7 @@ use openssl::error::ErrorStack; use openssl::hash::MessageDigest; use openssl::pkey::{PKey, PKeyRef}; use openssl::rsa::Rsa; -use openssl::x509::{X509, X509Ref}; -use openssl::x509::{X509NameBuilder, X509Req, X509ReqBuilder}; +use openssl::x509::{X509, X509NameBuilder, X509Ref, X509Req, X509ReqBuilder, X509VerifyResult}; use openssl::x509::extension::{AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier}; @@ -137,8 +136,8 @@ fn real_main() -> Result<(), ErrorStack> { // Verify that this cert was issued by this ca match ca_cert.issued(&cert) { - Err(ver_err) => println!("Failed to verify certificate: {}", ver_err), - Ok(()) => println!("Certificate verified!"), + X509VerifyResult::OK => println!("Certificate verified!"), + ver_err => println!("Failed to verify certificate: {}", ver_err), }; Ok(()) diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 6b2d9864..0c5d0df0 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -7,11 +7,6 @@ use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode SslRef, SslStream, SslVerifyMode}; use version; -#[cfg(ossl101)] -lazy_static! { - static ref HOSTNAME_IDX: ::ex_data::Index = Ssl::new_ex_index().unwrap(); -} - // ffdhe2048 from https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe2048 const DHPARAM_PEM: &'static str = " -----BEGIN DH PARAMETERS----- @@ -297,16 +292,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { #[cfg(ossl101)] fn setup_verify(ctx: &mut SslContextBuilder) { - ctx.set_verify_callback(SslVerifyMode::PEER, |p, x509| { - let hostname = match x509.ssl() { - Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX), - _ => None, - }; - match hostname { - Some(hostname) => verify::verify_callback(hostname, p, x509), - None => p, - } - }); + ctx.set_verify_callback(SslVerifyMode::PEER, verify::verify_callback); } #[cfg(any(ossl102, ossl110))] @@ -322,7 +308,7 @@ fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> #[cfg(ossl101)] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let domain = domain.to_string(); - ssl.set_ex_data(*HOSTNAME_IDX, domain); + ssl.set_ex_data(*verify::HOSTNAME_IDX, domain); Ok(()) } @@ -331,23 +317,38 @@ mod verify { use std::net::IpAddr; use std::str; + use ex_data::Index; use nid::Nid; - use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef}; + use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef, X509VerifyResult}; use stack::Stack; + use ssl::Ssl; - pub fn verify_callback( - domain: &str, - preverify_ok: bool, - x509_ctx: &X509StoreContextRef, - ) -> bool { + lazy_static! { + pub static ref HOSTNAME_IDX: Index = Ssl::new_ex_index().unwrap(); + } + + pub fn verify_callback(preverify_ok: bool, x509_ctx: &mut X509StoreContextRef) -> bool { if !preverify_ok || x509_ctx.error_depth() != 0 { return preverify_ok; } - match x509_ctx.current_cert() { - Some(x509) => verify_hostname(domain, &x509), - None => true, + let ok = match ( + x509_ctx.current_cert(), + x509_ctx + .ssl() + .ok() + .and_then(|s| s) + .and_then(|s| s.ex_data(*HOSTNAME_IDX)), + ) { + (Some(x509), Some(domain)) => verify_hostname(domain, &x509), + _ => true, + }; + + if !ok { + x509_ctx.set_error(X509VerifyResult::APPLICATION_VERIFICATION); } + + ok } fn verify_hostname(domain: &str, cert: &X509Ref) -> bool { diff --git a/openssl/src/ssl/error.rs b/openssl/src/ssl/error.rs index 64941f18..b0641dfd 100644 --- a/openssl/src/ssl/error.rs +++ b/openssl/src/ssl/error.rs @@ -5,6 +5,7 @@ use std::io; use error::ErrorStack; use ssl::MidHandshakeSslStream; +use x509::X509VerifyResult; /// An SSL error. // FIXME this is missing variants @@ -130,8 +131,9 @@ impl fmt::Display for HandshakeError { HandshakeError::SetupFailure(ref e) => write!(f, ": {}", e)?, HandshakeError::Failure(ref s) | HandshakeError::WouldBlock(ref s) => { write!(f, ": {}", s.error())?; - if let Some(err) = s.ssl().verify_result() { - write!(f, ": {}", err)?; + let verify = s.ssl().verify_result(); + if verify != X509VerifyResult::OK { + write!(f, ": {}", verify)?; } } } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0748140d..c0ed5572 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -86,7 +86,7 @@ use dh::{Dh, DhRef}; use ec::EcKeyRef; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] use ec::EcKey; -use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyError}; +use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyResult}; use x509::store::{X509StoreBuilderRef, X509StoreRef}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::store::X509Store; @@ -1441,12 +1441,10 @@ impl Ssl { impl fmt::Debug for SslRef { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { - let mut builder = fmt.debug_struct("Ssl"); - builder.field("state", &self.state_string_long()); - if let Some(err) = self.verify_result() { - builder.field("verify_result", &err); - } - builder.finish() + fmt.debug_struct("Ssl") + .field("state", &self.state_string_long()) + .field("verify_result", &self.verify_result()) + .finish() } } @@ -1870,8 +1868,8 @@ impl SslRef { /// This corresponds to [`SSL_get_verify_result`]. /// /// [`SSL_get_verify_result`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_verify_result.html - pub fn verify_result(&self) -> Option { - unsafe { X509VerifyError::from_raw(ffi::SSL_get_verify_result(self.as_ptr())) } + pub fn verify_result(&self) -> X509VerifyResult { + unsafe { X509VerifyResult::from_raw(ffi::SSL_get_verify_result(self.as_ptr()) as c_int) } } /// Returns a shared reference to the SSL session. diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index a5594254..c618a704 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -20,7 +20,7 @@ use ocsp::{OcspResponse, OcspResponseStatus}; use ssl; use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptor, SslConnector, SslContext, SslMethod, SslStream, SslVerifyMode, StatusType}; -use x509::{X509, X509Filetype, X509Name, X509StoreContext}; +use x509::{X509, X509Filetype, X509Name, X509StoreContext, X509VerifyResult}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::verify::X509CheckFlags; use pkey::PKey; @@ -133,7 +133,7 @@ macro_rules! run_test( use ssl::SslMethod; use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions}; use hash::MessageDigest; - use x509::X509StoreContext; + use x509::{X509StoreContext, X509VerifyResult}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::X509; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] @@ -255,7 +255,7 @@ run_test!(verify_callback_load_certs, |method, stream| { run_test!(verify_trusted_get_error_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { - assert!(x509_ctx.error().is_none()); + assert!(x509_ctx.error() == X509VerifyResult::OK); true }); @@ -269,7 +269,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| { run_test!(verify_trusted_get_error_err, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { - assert!(x509_ctx.error().is_some()); + assert_ne!(x509_ctx.error(), X509VerifyResult::OK); false }); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 71c0c83a..70d82c61 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -60,8 +60,14 @@ foreign_type_and_impl_send_sync! { } impl X509StoreContextRef { - pub fn error(&self) -> Option { - unsafe { X509VerifyError::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr()) as c_long) } + pub fn error(&self) -> X509VerifyResult { + unsafe { X509VerifyResult::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) } + } + + pub fn set_error(&mut self, result: X509VerifyResult) { + unsafe { + ffi::X509_STORE_CTX_set_error(self.as_ptr(), result.as_raw()); + } } pub fn current_cert(&self) -> Option<&X509Ref> { @@ -343,13 +349,10 @@ impl X509Ref { } /// Checks that this certificate issued `subject`. - pub fn issued(&self, subject: &X509Ref) -> Result<(), X509VerifyError> { + pub fn issued(&self, subject: &X509Ref) -> X509VerifyResult { unsafe { let r = ffi::X509_check_issued(self.as_ptr(), subject.as_ptr()); - match X509VerifyError::from_raw(r as c_long) { - Some(e) => Err(e), - None => Ok(()), - } + X509VerifyResult::from_raw(r) } } @@ -746,47 +749,42 @@ impl X509ReqRef { } } -pub struct X509VerifyError(c_long); +#[derive(Copy, Clone, PartialEq, Eq)] +pub struct X509VerifyResult(c_int); -impl fmt::Debug for X509VerifyError { +impl fmt::Debug for X509VerifyResult { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { - fmt.debug_struct("X509VerifyError") + fmt.debug_struct("X509VerifyResult") .field("code", &self.0) .field("error", &self.error_string()) .finish() } } -impl fmt::Display for X509VerifyError { +impl fmt::Display for X509VerifyResult { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { fmt.write_str(self.error_string()) } } -impl Error for X509VerifyError { +impl Error for X509VerifyResult { fn description(&self) -> &str { "an X509 validation error" } } -impl X509VerifyError { - /// Creates an `X509VerifyError` from a raw error number. - /// - /// `None` will be returned if `err` is `X509_V_OK`. +impl X509VerifyResult { + /// Creates an `X509VerifyResult` from a raw error number. /// /// # Safety /// - /// Some methods on `X509VerifyError` are not thread safe if the error + /// Some methods on `X509VerifyResult` are not thread safe if the error /// number is invalid. - pub unsafe fn from_raw(err: c_long) -> Option { - if err == ffi::X509_V_OK as c_long { - None - } else { - Some(X509VerifyError(err)) - } + pub unsafe fn from_raw(err: c_int) -> X509VerifyResult { + X509VerifyResult(err) } - pub fn as_raw(&self) -> c_long { + pub fn as_raw(&self) -> c_int { self.0 } @@ -794,10 +792,14 @@ impl X509VerifyError { ffi::init(); unsafe { - let s = ffi::X509_verify_cert_error_string(self.0); + let s = ffi::X509_verify_cert_error_string(self.0 as c_long); str::from_utf8(CStr::from_ptr(s).to_bytes()).unwrap() } } + + pub const OK: X509VerifyResult = X509VerifyResult(ffi::X509_V_OK); + pub const APPLICATION_VERIFICATION: X509VerifyResult = + X509VerifyResult(ffi::X509_V_ERR_APPLICATION_VERIFICATION); } foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index a86aa30a..366b91e7 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -7,7 +7,7 @@ use nid::Nid; use pkey::PKey; use rsa::Rsa; use stack::Stack; -use x509::{X509, X509Name, X509Req}; +use x509::{X509, X509Name, X509Req, X509VerifyResult}; use x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier}; @@ -253,8 +253,8 @@ fn issued() { let ca = include_bytes!("../../test/root-ca.pem"); let ca = X509::from_pem(ca).unwrap(); - ca.issued(&cert).unwrap(); - cert.issued(&cert).err().unwrap(); + assert_eq!(ca.issued(&cert), X509VerifyResult::OK); + assert_ne!(cert.issued(&cert), X509VerifyResult::OK); } #[test] From f9866cd44f69cda8fecf427bd5bd0c63a4e9b0cf Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 26 Dec 2017 14:53:35 -0700 Subject: [PATCH 2/3] Split X509StoreContextRef::ssl up --- openssl/src/ssl/connector.rs | 10 +++++----- openssl/src/x509/mod.rs | 37 +++++++++++++++++++++--------------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 0c5d0df0..fb9a42e8 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -319,7 +319,8 @@ mod verify { use ex_data::Index; use nid::Nid; - use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef, X509VerifyResult}; + use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, + X509VerifyResult}; use stack::Stack; use ssl::Ssl; @@ -334,11 +335,10 @@ mod verify { let ok = match ( x509_ctx.current_cert(), - x509_ctx - .ssl() + X509StoreContext::ssl_idx() .ok() - .and_then(|s| s) - .and_then(|s| s.ex_data(*HOSTNAME_IDX)), + .and_then(|idx| x509_ctx.ex_data(idx)) + .and_then(|ssl| ssl.ex_data(*HOSTNAME_IDX)), ) { (Some(x509), Some(domain)) => verify_hostname(domain, &x509), _ => true, diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 70d82c61..d1297a69 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -16,6 +16,7 @@ use asn1::{Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1T use bio::MemBioSlice; use conf::ConfRef; use error::ErrorStack; +use ex_data::Index; use hash::MessageDigest; use nid::Nid; use pkey::{PKey, PKeyRef}; @@ -59,7 +60,26 @@ foreign_type_and_impl_send_sync! { pub struct X509StoreContextRef; } +impl X509StoreContext { + /// Returns the index which can be used to obtain a reference to the `Ssl` associated with a + /// context. + pub fn ssl_idx() -> Result, ErrorStack> { + unsafe { cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx()).map(|idx| Index::from_raw(idx)) } + } +} + impl X509StoreContextRef { + pub fn ex_data(&self, index: Index) -> Option<&T> { + unsafe { + let data = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&*(data as *const T)) + } + } + } + pub fn error(&self) -> X509VerifyResult { unsafe { X509VerifyResult::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) } } @@ -90,22 +110,9 @@ impl X509StoreContextRef { let chain = X509_STORE_CTX_get_chain(self.as_ptr()); if chain.is_null() { - return None; - } - - Some(StackRef::from_ptr(chain)) - } - } - - /// Returns a reference to the `Ssl` associated with this context. - pub fn ssl(&self) -> Result, ErrorStack> { - unsafe { - let idx = cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx())?; - let ssl = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), idx); - if ssl.is_null() { - Ok(None) + None } else { - Ok(Some(SslRef::from_ptr(ssl as *mut ffi::SSL))) + Some(StackRef::from_ptr(chain)) } } } From 1166a6c3bf2185c83a19399cf69f7500e781d5c6 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 26 Dec 2017 14:54:45 -0700 Subject: [PATCH 3/3] Flag off constant --- openssl-sys/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 2040358a..eafda590 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1305,6 +1305,7 @@ pub const X509_FILETYPE_DEFAULT: c_int = 3; pub const X509_FILETYPE_PEM: c_int = 1; pub const X509_V_OK: c_int = 0; +#[cfg(not(libressl))] pub const X509_V_ERR_UNSPECIFIED: c_int = 1; pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; pub const X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3;