Merge pull request #801 from sfackler/verify-error

Overhaul verify error type

openssl-sys/src/lib.rs

@@ -1,10 +1,10 @@
 #![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)]
 #![allow(dead_code, overflowing_literals)]
-#![doc(html_root_url="https://docs.rs/openssl-sys/0.9")]
+#![doc(html_root_url = "https://docs.rs/openssl-sys/0.9")]
 
 extern crate libc;
 
-use libc::{c_void, c_int, c_char, c_ulong, c_long, c_uint, c_uchar, size_t, FILE};
+use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t, FILE};
 use std::ptr;
 use std::mem;
 
@@ -65,33 +65,21 @@ pub enum BN_BLINDING {}
 pub enum DSA_METHOD {}
 pub enum EVP_PKEY_ASN1_METHOD {}
 
-pub type bio_info_cb = Option<
+pub type bio_info_cb =
-    unsafe extern "C" fn(*mut BIO,
+    Option<unsafe extern "C" fn(*mut BIO, c_int, *const c_char, c_int, c_long, c_long)>;
-                         c_int,
+pub type GEN_SESSION_CB =
-                         *const c_char,
+    Option<unsafe extern "C" fn(*const SSL, *mut c_uchar, *mut c_uint) -> c_int>;
-                         c_int,
+pub type tls_session_ticket_ext_cb_fn =
-                         c_long,
+    Option<unsafe extern "C" fn(*mut SSL, *const c_uchar, c_int, *mut c_void) -> c_int>;
-                         c_long),
->;
-pub type GEN_SESSION_CB = Option<
-    unsafe extern "C" fn(*const SSL, *mut c_uchar, *mut c_uint)
-                         -> c_int,
->;
-pub type tls_session_ticket_ext_cb_fn = Option<
-    unsafe extern "C" fn(*mut SSL,
-                         *const c_uchar,
-                         c_int,
-                         *mut c_void)
-                         -> c_int,
->;
 pub type tls_session_secret_cb_fn = Option<
-    unsafe extern "C" fn(*mut SSL,
+    unsafe extern "C" fn(
-                         *mut c_void,
+        *mut SSL,
-                         *mut c_int,
+        *mut c_void,
-                         *mut stack_st_SSL_CIPHER,
+        *mut c_int,
-                         *mut *mut SSL_CIPHER,
+        *mut stack_st_SSL_CIPHER,
-                         *mut c_void)
+        *mut *mut SSL_CIPHER,
-                         -> c_int,
+        *mut c_void,
+    ) -> c_int,
 >;
 
 #[repr(C)]
@@ -167,31 +155,33 @@ pub type BN_ULONG = libc::c_ulonglong;
 #[cfg(target_pointer_width = "32")]
 pub type BN_ULONG = c_uint;
 
-pub type CRYPTO_EX_new = unsafe extern "C" fn(parent: *mut c_void,
+pub type CRYPTO_EX_new = unsafe extern "C" fn(
-                                              ptr: *mut c_void,
+    parent: *mut c_void,
-                                              ad: *const CRYPTO_EX_DATA,
+    ptr: *mut c_void,
-                                              idx: c_int,
+    ad: *const CRYPTO_EX_DATA,
-                                              argl: c_long,
+    idx: c_int,
-                                              argp: *const c_void)
+    argl: c_long,
-                                              -> c_int;
+    argp: *const c_void,
-pub type CRYPTO_EX_dup = unsafe extern "C" fn(to: *mut CRYPTO_EX_DATA,
+) -> c_int;
-                                              from: *mut CRYPTO_EX_DATA,
+pub type CRYPTO_EX_dup = unsafe extern "C" fn(
-                                              from_d: *mut c_void,
+    to: *mut CRYPTO_EX_DATA,
-                                              idx: c_int,
+    from: *mut CRYPTO_EX_DATA,
-                                              argl: c_long,
+    from_d: *mut c_void,
-                                              argp: *mut c_void)
+    idx: c_int,
-                                              -> c_int;
+    argl: c_long,
-pub type CRYPTO_EX_free = unsafe extern "C" fn(parent: *mut c_void,
+    argp: *mut c_void,
-                                               ptr: *mut c_void,
+) -> c_int;
-                                               ad: *mut CRYPTO_EX_DATA,
+pub type CRYPTO_EX_free = unsafe extern "C" fn(
-                                               idx: c_int,
+    parent: *mut c_void,
-                                               argl: c_long,
+    ptr: *mut c_void,
-                                               argp: *mut c_void);
+    ad: *mut CRYPTO_EX_DATA,
-pub type PasswordCallback = unsafe extern "C" fn(buf: *mut c_char,
+    idx: c_int,
-                                                 size: c_int,
+    argl: c_long,
-                                                 rwflag: c_int,
+    argp: *mut c_void,
-                                                 user_data: *mut c_void)
+);
-                                                 -> c_int;
+pub type PasswordCallback =
+    unsafe extern "C" fn(buf: *mut c_char, size: c_int, rwflag: c_int, user_data: *mut c_void)
+        -> c_int;
 
 pub type SHA_LONG = c_uint;
 pub type SHA_LONG64 = u64;
@@ -1265,9 +1255,9 @@ pub const SSL_OP_SAFARI_ECDHE_ECDSA_BUG: c_ulong = 0x00000040;
 #[cfg(not(any(libressl, ossl110f)))]
 pub const SSL_OP_ALL: c_ulong = 0x80000BFF;
 #[cfg(ossl110f)]
-pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
+pub const SSL_OP_ALL: c_ulong = SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-    SSL_OP_LEGACY_SERVER_CONNECT | SSL_OP_TLSEXT_PADDING |
+    | SSL_OP_LEGACY_SERVER_CONNECT | SSL_OP_TLSEXT_PADDING
-    SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
+    | SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
 pub const SSL_OP_NO_QUERY_MTU: c_ulong = 0x00001000;
 pub const SSL_OP_COOKIE_EXCHANGE: c_ulong = 0x00002000;
 pub const SSL_OP_NO_TICKET: c_ulong = 0x00004000;
@@ -1291,8 +1281,8 @@ pub const SSL_OP_NO_DTLSv1: c_ulong = 0x04000000;
 #[cfg(not(any(ossl101, libressl)))]
 pub const SSL_OP_NO_DTLSv1_2: c_ulong = 0x08000000;
 #[cfg(not(any(ossl101, libressl)))]
-pub const SSL_OP_NO_SSL_MASK: c_ulong = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
+pub const SSL_OP_NO_SSL_MASK: c_ulong =
-    SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 
 pub const TLSEXT_NAMETYPE_host_name: c_int = 0;
 
@@ -1313,60 +1303,83 @@ pub const V_ASN1_UTCTIME: c_int = 23;
 pub const X509_FILETYPE_ASN1: c_int = 2;
 pub const X509_FILETYPE_DEFAULT: c_int = 3;
 pub const X509_FILETYPE_PEM: c_int = 1;
-pub const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31;
+
-pub const X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30;
+pub const X509_V_OK: c_int = 0;
-pub const X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50;
+#[cfg(not(libressl))]
-pub const X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22;
+pub const X509_V_ERR_UNSPECIFIED: c_int = 1;
-pub const X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10;
+pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2;
-pub const X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9;
+pub const X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3;
-pub const X509_V_ERR_CERT_REJECTED: c_int = 28;
-pub const X509_V_ERR_CERT_REVOKED: c_int = 23;
-pub const X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7;
-pub const X509_V_ERR_CERT_UNTRUSTED: c_int = 27;
-pub const X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12;
-pub const X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11;
-pub const X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54;
-pub const X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8;
-pub const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18;
-pub const X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44;
-pub const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14;
-pub const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13;
-pub const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15;
-pub const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16;
-pub const X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48;
-pub const X509_V_ERR_INVALID_CA: c_int = 24;
-pub const X509_V_ERR_INVALID_EXTENSION: c_int = 41;
-pub const X509_V_ERR_INVALID_NON_CA: c_int = 37;
-pub const X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42;
-pub const X509_V_ERR_INVALID_PURPOSE: c_int = 26;
-pub const X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32;
-pub const X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35;
-pub const X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39;
-pub const X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43;
-pub const X509_V_ERR_OUT_OF_MEM: c_int = 17;
-pub const X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25;
-pub const X509_V_ERR_PERMITTED_VIOLATION: c_int = 47;
-pub const X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40;
-pub const X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38;
-pub const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19;
-pub const X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29;
-pub const X509_V_ERR_SUBTREE_MINMAX: c_int = 49;
-pub const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6;
 pub const X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4;
 pub const X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5;
-pub const X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3;
+pub const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6;
-pub const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33;
+pub const X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7;
-pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2;
+pub const X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8;
+pub const X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9;
+pub const X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10;
+pub const X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11;
+pub const X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12;
+pub const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13;
+pub const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14;
+pub const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15;
+pub const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16;
+pub const X509_V_ERR_OUT_OF_MEM: c_int = 17;
+pub const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18;
+pub const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19;
 pub const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20;
 pub const X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21;
-pub const X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36;
+pub const X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22;
+pub const X509_V_ERR_CERT_REVOKED: c_int = 23;
+pub const X509_V_ERR_INVALID_CA: c_int = 24;
+pub const X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25;
+pub const X509_V_ERR_INVALID_PURPOSE: c_int = 26;
+pub const X509_V_ERR_CERT_UNTRUSTED: c_int = 27;
+pub const X509_V_ERR_CERT_REJECTED: c_int = 28;
+pub const X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29;
+pub const X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30;
+pub const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31;
+pub const X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32;
+pub const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33;
 pub const X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34;
-pub const X509_V_ERR_UNNESTED_RESOURCE: c_int = 46;
+pub const X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35;
-pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52;
+pub const X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36;
-pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51;
+pub const X509_V_ERR_INVALID_NON_CA: c_int = 37;
+pub const X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38;
+pub const X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39;
+pub const X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40;
+pub const X509_V_ERR_INVALID_EXTENSION: c_int = 41;
+pub const X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42;
+pub const X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43;
+pub const X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44;
 pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
+pub const X509_V_ERR_UNNESTED_RESOURCE: c_int = 46;
+pub const X509_V_ERR_PERMITTED_VIOLATION: c_int = 47;
+pub const X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48;
+pub const X509_V_ERR_SUBTREE_MINMAX: c_int = 49;
+pub const X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50;
+pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51;
+pub const X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52;
 pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
-pub const X509_V_OK: c_int = 0;
+pub const X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54;
+
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_INVALID_VERSION: c_int = 56;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_INVALID_ALGORITHM: c_int = 57;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_INVALID_CURVE: c_int = 58;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: c_int = 59;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: c_int = 60;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: c_int = 61;
+
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_HOSTNAME_MISMATCH: c_int = 62;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_EMAIL_MISMATCH: c_int = 63;
+#[cfg(not(any(ossl101, libressl)))]
+pub const X509_V_ERR_IP_ADDRESS_MISMATCH: c_int = 64;
 
 #[cfg(not(any(ossl101, libressl)))]
 pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1;
@@ -2425,35 +2438,32 @@ extern "C" {
 
     pub fn SSL_CTX_set_next_protos_advertised_cb(
         ssl: *mut SSL_CTX,
-        cb: extern "C" fn(ssl: *mut SSL,
+        cb: extern "C" fn(
-                          out: *mut *const c_uchar,
+            ssl: *mut SSL,
-                          outlen: *mut c_uint,
+            out: *mut *const c_uchar,
-                          arg: *mut c_void)
+            outlen: *mut c_uint,
-                          -> c_int,
+            arg: *mut c_void,
+        ) -> c_int,
         arg: *mut c_void,
     );
     pub fn SSL_CTX_set_next_proto_select_cb(
         ssl: *mut SSL_CTX,
-        cb: extern "C" fn(ssl: *mut SSL,
+        cb: extern "C" fn(
-                          out: *mut *mut c_uchar,
+            ssl: *mut SSL,
-                          outlen: *mut c_uchar,
+            out: *mut *mut c_uchar,
-                          inbuf: *const c_uchar,
+            outlen: *mut c_uchar,
-                          inlen: c_uint,
+            inbuf: *const c_uchar,
-                          arg: *mut c_void)
+            inlen: c_uint,
-                          -> c_int,
+            arg: *mut c_void,
+        ) -> c_int,
         arg: *mut c_void,
     );
     #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
     pub fn SSL_CTX_set_psk_client_callback(
         ssl: *mut SSL_CTX,
         psk_client_cb: Option<
-            extern "C" fn(*mut SSL,
+            extern "C" fn(*mut SSL, *const c_char, *mut c_char, c_uint, *mut c_uchar, c_uint)
-                          *const c_char,
+                -> c_uint,
-                          *mut c_char,
-                          c_uint,
-                          *mut c_uchar,
-                          c_uint)
-                          -> c_uint,
         >,
     );
     pub fn SSL_select_next_proto(
@@ -2488,13 +2498,14 @@ extern "C" {
     #[cfg(not(ossl101))]
     pub fn SSL_CTX_set_alpn_select_cb(
         ssl: *mut SSL_CTX,
-        cb: extern "C" fn(ssl: *mut SSL,
+        cb: extern "C" fn(
-                          out: *mut *const c_uchar,
+            ssl: *mut SSL,
-                          outlen: *mut c_uchar,
+            out: *mut *const c_uchar,
-                          inbuf: *const c_uchar,
+            outlen: *mut c_uchar,
-                          inlen: c_uint,
+            inbuf: *const c_uchar,
-                          arg: *mut c_void)
+            inlen: c_uint,
-                          -> c_int,
+            arg: *mut c_void,
+        ) -> c_int,
         arg: *mut c_void,
     );
     #[cfg(not(ossl101))]
@@ -2556,6 +2567,7 @@ extern "C" {
     pub fn X509_STORE_CTX_free(ctx: *mut X509_STORE_CTX);
     pub fn X509_STORE_CTX_get_current_cert(ctx: *mut X509_STORE_CTX) -> *mut X509;
     pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int;
+    pub fn X509_STORE_CTX_set_error(ctx: *mut X509_STORE_CTX, error: c_int);
     pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) -> *mut c_void;
     pub fn X509_STORE_CTX_get_error_depth(ctx: *mut X509_STORE_CTX) -> c_int;
 

openssl-sys/src/ossl10x.rs

@@ -5,7 +5,7 @@ use std::ptr;
 use std::process;
 use std::io::{self, Write};
 
-use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong};
+use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t};
 #[cfg(not(ossl101))]
 use libc::time_t;
 
@@ -144,13 +144,7 @@ pub struct EVP_PKEY {
 pub struct BIO {
     pub method: *mut ::BIO_METHOD,
     pub callback: Option<
-        unsafe extern "C" fn(*mut ::BIO,
+        unsafe extern "C" fn(*mut ::BIO, c_int, *const c_char, c_int, c_long, c_long) -> c_long,
-                             c_int,
-                             *const c_char,
-                             c_int,
-                             c_long,
-                             c_long)
-                             -> c_long,
     >,
     pub cb_arg: *mut c_char,
     pub init: c_int,
@@ -191,18 +185,10 @@ pub struct EVP_CIPHER {
     pub iv_len: c_int,
     pub flags: c_ulong,
     pub init: Option<
-        unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX,
+        unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, *const c_uchar, *const c_uchar, c_int) -> c_int,
-                             *const c_uchar,
-                             *const c_uchar,
-                             c_int)
-                             -> c_int,
     >,
     pub do_cipher: Option<
-        unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX,
+        unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX, *mut c_uchar, *const c_uchar, size_t) -> c_int,
-                             *mut c_uchar,
-                             *const c_uchar,
-                             size_t)
-                             -> c_int,
     >,
     pub cleanup: Option<unsafe extern "C" fn(*mut ::EVP_CIPHER_CTX) -> c_int>,
     pub ctx_size: c_int,
@@ -277,12 +263,9 @@ pub struct X509 {
     crldp: *mut c_void,
     altname: *mut c_void,
     nc: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] rfc3779_addr: *mut c_void,
-    rfc3779_addr: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))] rfc3779_asid: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_RFC3779"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_SHA"))] sha1_hash: [c_uchar; 20],
-    rfc3779_asid: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_SHA"))]
-    sha1_hash: [c_uchar; 20],
     aux: *mut c_void,
 }
 
@@ -365,13 +348,7 @@ pub struct SSL {
     d1: *mut c_void,
     read_ahead: c_int,
     msg_callback: Option<
-        unsafe extern "C" fn(c_int,
+        unsafe extern "C" fn(c_int, c_int, c_int, *const c_void, size_t, *mut SSL, *mut c_void),
-                             c_int,
-                             c_int,
-                             *const c_void,
-                             size_t,
-                             *mut SSL,
-                             *mut c_void),
     >,
     msg_callback_arg: *mut c_void,
     hit: c_int,
@@ -395,17 +372,11 @@ pub struct SSL {
     info_callback: Option<unsafe extern "C" fn(*mut SSL, c_int, c_int)>,
     error: c_int,
     error_code: c_int,
-    #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] kssl_ctx: *mut c_void,
-    kssl_ctx: *mut c_void,
     #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
     psk_client_callback: Option<
-        unsafe extern "C" fn(*mut SSL,
+        unsafe extern "C" fn(*mut SSL, *const c_char, *mut c_char, c_uint, *mut c_uchar, c_uint)
-                             *const c_char,
+            -> c_uint,
-                             *mut c_char,
-                             c_uint,
-                             *mut c_uchar,
-                             c_uint)
-                             -> c_uint,
     >,
     #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
     psk_server_callback:
@@ -425,26 +396,16 @@ pub struct SSL {
     #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
     tlsext_debug_cb:
         Option<unsafe extern "C" fn(*mut SSL, c_int, c_int, *mut c_uchar, c_int, *mut c_void)>,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_debug_arg: *mut c_void,
-    tlsext_debug_arg: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hostname: *mut c_char,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] servername_done: c_int,
-    tlsext_hostname: *mut c_char,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_type: c_int,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_expected: c_int,
-    servername_done: c_int,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_ids: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_exts: *mut c_void,
-    tlsext_status_type: c_int,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_resp: *mut c_uchar,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ocsp_resplen: c_int,
-    tlsext_status_expected: c_int,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticket_expected: c_int,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ocsp_ids: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ocsp_exts: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ocsp_resp: *mut c_uchar,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ocsp_resplen: c_int,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ticket_expected: c_int,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
     tlsext_ecpointformatlist_length: size_t,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
@@ -453,43 +414,28 @@ pub struct SSL {
     tlsext_ellipticcurvelist_length: size_t,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
     tlsext_ellipticcurvelist: *mut c_uchar,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input: *mut c_void,
-    tlsext_opaque_prf_input: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_len: size_t,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_session_ticket: *mut c_void,
-    tlsext_opaque_prf_input_len: size_t,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_session_ticket: *mut c_void,
     #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
     tlsext_session_ticket_ext_cb: ::tls_session_ticket_ext_cb_fn,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_ticket_ext_cb_arg: *mut c_void,
-    tls_session_ticket_ext_cb_arg: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb: ::tls_session_secret_cb_fn,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tls_session_secret_cb_arg: *mut c_void,
-    tls_session_secret_cb: ::tls_session_secret_cb_fn,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] initial_ctx: *mut ::SSL_CTX,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tls_session_secret_cb_arg: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    initial_ctx: *mut ::SSL_CTX,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))]
     next_proto_negotiated: *mut c_uchar,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))]
     next_proto_negotiated_len: c_uchar,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] srtp_profiles: *mut c_void,
-    srtp_profiles: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] srtp_profile: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_heartbeat: c_uint,
-    srtp_profile: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hb_pending: c_uint,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hb_seq: c_uint,
-    tlsext_heartbeat: c_uint,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_hb_pending: c_uint,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_hb_seq: c_uint,
     renegotiate: c_int,
-    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_ctx: ::SRP_CTX,
-    srp_ctx: ::SRP_CTX,
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_uchar,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list_len: c_uint,
-    alpn_client_proto_list: *mut c_uchar,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
-    alpn_client_proto_list_len: c_uint,
 }
 
 #[repr(C)]
@@ -540,46 +486,28 @@ pub struct SSL_CTX {
     quiet_shutdown: c_int,
     max_send_fragment: c_uint,
 
-    #[cfg(not(osslconf = "OPENSSL_NO_ENGINE"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_ENGINE"))] client_cert_engine: *mut c_void,
-    client_cert_engine: *mut c_void,
 
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_servername_callback: *mut c_void,
-    tlsext_servername_callback: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsect_servername_arg: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_key_name: [c_uchar; 16],
-    tlsect_servername_arg: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_hmac_key: [c_uchar; 16],
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_aes_key: [c_uchar; 16],
-    tlsext_tick_key_name: [c_uchar; 16],
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticket_key_cb: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_cb: *mut c_void,
-    tlsext_tick_hmac_key: [c_uchar; 16],
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_status_arg: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_callback: *mut c_void,
-    tlsext_tick_aes_key: [c_uchar; 16],
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_opaque_prf_input_callback_arg: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_ticket_key_cb: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_status_cb: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_status_arg: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_opaque_prf_input_callback: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_opaque_prf_input_callback_arg: *mut c_void,
 
-    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity_hint: *mut c_void,
-    psk_identity_hint: *mut c_void,
+    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_client_callback: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_server_callback: *mut c_void,
-    psk_client_callback: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
-    psk_server_callback: *mut c_void,
 
-    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] freelist_max_len: c_uint,
-    freelist_max_len: c_uint,
+    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] wbuf_freelist: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))] rbuf_freelist: *mut c_void,
-    wbuf_freelist: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_BUF_FREELISTS"))]
-    rbuf_freelist: *mut c_void,
 
-    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_ctx: SRP_CTX,
-    srp_ctx: SRP_CTX,
 
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))]
     next_protos_advertised_cb: *mut c_void,
@@ -590,19 +518,13 @@ pub struct SSL_CTX {
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_NEXTPROTONEG")))]
     next_proto_select_cb_arg: *mut c_void,
 
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl101))]
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl101))] srtp_profiles: *mut c_void,
-    srtp_profiles: *mut c_void,
 
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] srtp_profiles: *mut c_void,
-    srtp_profiles: *mut c_void,
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_select_cb: *mut c_void,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_select_cb_arg: *mut c_void,
-    alpn_select_cb: *mut c_void,
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list: *mut c_void,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
+    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))] alpn_client_proto_list_len: c_uint,
-    alpn_select_cb_arg: *mut c_void,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
-    alpn_client_proto_list: *mut c_void,
-    #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), ossl102))]
-    alpn_client_proto_list_len: c_uint,
 
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC"), ossl102))]
     tlsext_ecpointformatlist_length: size_t,
@@ -625,14 +547,11 @@ pub struct SSL_SESSION {
     session_id: [c_uchar; SSL_MAX_SSL_SESSION_ID_LENGTH as usize],
     sid_ctx_length: c_uint,
     sid_ctx: [c_uchar; SSL_MAX_SID_CTX_LENGTH as usize],
-    #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))] krb5_client_princ_len: c_uint,
-    krb5_client_princ_len: c_uint,
     #[cfg(not(osslconf = "OPENSSL_NO_KRB5"))]
     krb5_client_princ: [c_uchar; SSL_MAX_KRB5_PRINCIPAL_LENGTH as usize],
-    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity_hint: *mut c_char,
-    psk_identity_hint: *mut c_char,
+    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] psk_identity: *mut c_char,
-    #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
-    psk_identity: *mut c_char,
     not_resumable: c_int,
     sess_cert: *mut c_void,
     peer: *mut X509,
@@ -647,8 +566,7 @@ pub struct SSL_SESSION {
     ex_data: ::CRYPTO_EX_DATA,
     prev: *mut c_void,
     next: *mut c_void,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_hostname: *mut c_char,
-    tlsext_hostname: *mut c_char,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
     tlsext_ecpointformatlist_length: size_t,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
@@ -657,14 +575,10 @@ pub struct SSL_SESSION {
     tlsext_ellipticcurvelist_length: size_t,
     #[cfg(all(not(osslconf = "OPENSSL_NO_TLSEXT"), not(osslconf = "OPENSSL_NO_EC")))]
     tlsext_ellipticcurvelist: *mut c_uchar,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick: *mut c_uchar,
-    tlsext_tick: *mut c_uchar,
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_ticklen: size_t,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
+    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))] tlsext_tick_lifetime_hint: c_long,
-    tlsext_ticklen: size_t,
+    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))] srp_username: *mut c_char,
-    #[cfg(not(osslconf = "OPENSSL_NO_TLSEXT"))]
-    tlsext_tick_lifetime_hint: c_long,
-    #[cfg(not(osslconf = "OPENSSL_NO_SRP"))]
-    srp_username: *mut c_char,
 }
 
 #[repr(C)]
@@ -738,9 +652,13 @@ pub const CRYPTO_LOCK_X509: c_int = 3;
 pub const CRYPTO_LOCK_SSL_CTX: c_int = 12;
 pub const CRYPTO_LOCK_SSL_SESSION: c_int = 14;
 
+pub const X509_V_ERR_INVALID_CALL: c_int = 65;
+pub const X509_V_ERR_STORE_LOOKUP: c_int = 66;
+pub const X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: c_int = 67;
+
 static mut MUTEXES: *mut Vec<Mutex<()>> = 0 as *mut Vec<Mutex<()>>;
-static mut GUARDS: *mut Vec<Option<MutexGuard<'static, ()>>> = 0 as
+static mut GUARDS: *mut Vec<Option<MutexGuard<'static, ()>>> =
-    *mut Vec<Option<MutexGuard<'static, ()>>>;
+    0 as *mut Vec<Option<MutexGuard<'static, ()>>>;
 
 unsafe extern "C" fn locking_function(mode: c_int, n: c_int, _file: *const c_char, _line: c_int) {
     let mutex = &(*MUTEXES)[n as usize];
@@ -896,7 +814,7 @@ extern "C" {
     pub fn SSL_set_tmp_ecdh_callback(
         ssl: *mut ::SSL,
         ecdh: unsafe extern "C" fn(ssl: *mut ::SSL, is_export: c_int, keylength: c_int)
-                                   -> *mut ::EC_KEY,
+            -> *mut ::EC_KEY,
     );
     pub fn SSL_CIPHER_get_version(cipher: *const ::SSL_CIPHER) -> *mut c_char;
     pub fn SSL_CTX_get_ex_new_index(
@@ -909,7 +827,7 @@ extern "C" {
     pub fn SSL_CTX_set_tmp_ecdh_callback(
         ctx: *mut ::SSL_CTX,
         ecdh: unsafe extern "C" fn(ssl: *mut ::SSL, is_export: c_int, keylength: c_int)
-                                   -> *mut ::EC_KEY,
+            -> *mut ::EC_KEY,
     );
     pub fn X509_get_subject_name(x: *mut ::X509) -> *mut ::X509_NAME;
     pub fn X509_set_notAfter(x: *mut ::X509, tm: *const ::ASN1_TIME) -> c_int;

openssl-sys/src/ossl110.rs

@@ -1,4 +1,4 @@
-use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t};
+use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void, size_t};
 use std::sync::{Once, ONCE_INIT};
 use std::ptr;
 
@@ -55,6 +55,14 @@ pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1;
 
 pub const OPENSSL_INIT_LOAD_SSL_STRINGS: u64 = 0x00200000;
 
+pub const X509_V_ERR_DANE_NO_MATCH: c_int = 65;
+pub const X509_V_ERR_EE_KEY_TOO_SMALL: c_int = 66;
+pub const X509_V_ERR_CA_KEY_TOO_SMALL: c_int = 67;
+pub const X509_V_ERR_CA_MD_TOO_WEAK: c_int = 68;
+pub const X509_V_ERR_INVALID_CALL: c_int = 69;
+pub const X509_V_ERR_STORE_LOOKUP: c_int = 70;
+pub const X509_V_ERR_NO_VALID_SCTS: c_int = 71;
+
 pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20;
 
 pub fn init() {

openssl/examples/mk_certs.rs

@@ -9,8 +9,7 @@ use openssl::error::ErrorStack;
 use openssl::hash::MessageDigest;
 use openssl::pkey::{PKey, PKeyRef};
 use openssl::rsa::Rsa;
-use openssl::x509::{X509, X509Ref};
+use openssl::x509::{X509, X509NameBuilder, X509Ref, X509Req, X509ReqBuilder, X509VerifyResult};
-use openssl::x509::{X509NameBuilder, X509Req, X509ReqBuilder};
 use openssl::x509::extension::{AuthorityKeyIdentifier, BasicConstraints, KeyUsage,
                                SubjectAlternativeName, SubjectKeyIdentifier};
 
@@ -137,8 +136,8 @@ fn real_main() -> Result<(), ErrorStack> {
 
     // Verify that this cert was issued by this ca
     match ca_cert.issued(&cert) {
-        Err(ver_err) => println!("Failed to verify certificate: {}", ver_err),
+        X509VerifyResult::OK => println!("Certificate verified!"),
-        Ok(()) => println!("Certificate verified!"),
+        ver_err => println!("Failed to verify certificate: {}", ver_err),
     };
 
     Ok(())

openssl/src/ssl/connector.rs

@@ -7,11 +7,6 @@ use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode
           SslRef, SslStream, SslVerifyMode};
 use version;
 
-#[cfg(ossl101)]
-lazy_static! {
-    static ref HOSTNAME_IDX: ::ex_data::Index<Ssl, String> = Ssl::new_ex_index().unwrap();
-}
-
 // ffdhe2048 from https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe2048
 const DHPARAM_PEM: &'static str = "
 -----BEGIN DH PARAMETERS-----
@@ -297,16 +292,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 
 #[cfg(ossl101)]
 fn setup_verify(ctx: &mut SslContextBuilder) {
-    ctx.set_verify_callback(SslVerifyMode::PEER, |p, x509| {
+    ctx.set_verify_callback(SslVerifyMode::PEER, verify::verify_callback);
-        let hostname = match x509.ssl() {
-            Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX),
-            _ => None,
-        };
-        match hostname {
-            Some(hostname) => verify::verify_callback(hostname, p, x509),
-            None => p,
-        }
-    });
 }
 
 #[cfg(any(ossl102, ossl110))]
@@ -322,7 +308,7 @@ fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack>
 #[cfg(ossl101)]
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let domain = domain.to_string();
-    ssl.set_ex_data(*HOSTNAME_IDX, domain);
+    ssl.set_ex_data(*verify::HOSTNAME_IDX, domain);
     Ok(())
 }
 
@@ -331,23 +317,38 @@ mod verify {
     use std::net::IpAddr;
     use std::str;
 
+    use ex_data::Index;
     use nid::Nid;
-    use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef};
+    use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef,
+               X509VerifyResult};
     use stack::Stack;
+    use ssl::Ssl;
 
-    pub fn verify_callback(
+    lazy_static! {
-        domain: &str,
+        pub static ref HOSTNAME_IDX: Index<Ssl, String> = Ssl::new_ex_index().unwrap();
-        preverify_ok: bool,
+    }
-        x509_ctx: &X509StoreContextRef,
+
-    ) -> bool {
+    pub fn verify_callback(preverify_ok: bool, x509_ctx: &mut X509StoreContextRef) -> bool {
         if !preverify_ok || x509_ctx.error_depth() != 0 {
             return preverify_ok;
         }
 
-        match x509_ctx.current_cert() {
+        let ok = match (
-            Some(x509) => verify_hostname(domain, &x509),
+            x509_ctx.current_cert(),
-            None => true,
+            X509StoreContext::ssl_idx()
+                .ok()
+                .and_then(|idx| x509_ctx.ex_data(idx))
+                .and_then(|ssl| ssl.ex_data(*HOSTNAME_IDX)),
+        ) {
+            (Some(x509), Some(domain)) => verify_hostname(domain, &x509),
+            _ => true,
+        };
+
+        if !ok {
+            x509_ctx.set_error(X509VerifyResult::APPLICATION_VERIFICATION);
         }
+
+        ok
     }
 
     fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {

openssl/src/ssl/error.rs

@@ -5,6 +5,7 @@ use std::io;
 
 use error::ErrorStack;
 use ssl::MidHandshakeSslStream;
+use x509::X509VerifyResult;
 
 /// An SSL error.
 // FIXME this is missing variants
@@ -130,8 +131,9 @@ impl<S: fmt::Debug> fmt::Display for HandshakeError<S> {
             HandshakeError::SetupFailure(ref e) => write!(f, ": {}", e)?,
             HandshakeError::Failure(ref s) | HandshakeError::WouldBlock(ref s) => {
                 write!(f, ": {}", s.error())?;
-                if let Some(err) = s.ssl().verify_result() {
+                let verify = s.ssl().verify_result();
-                    write!(f, ": {}", err)?;
+                if verify != X509VerifyResult::OK {
+                    write!(f, ": {}", verify)?;
                 }
             }
         }

openssl/src/ssl/mod.rs

@@ -86,7 +86,7 @@ use dh::{Dh, DhRef};
 use ec::EcKeyRef;
 #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
 use ec::EcKey;
-use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyError};
+use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyResult};
 use x509::store::{X509StoreBuilderRef, X509StoreRef};
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 use x509::store::X509Store;
@@ -1441,12 +1441,10 @@ impl Ssl {
 
 impl fmt::Debug for SslRef {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        let mut builder = fmt.debug_struct("Ssl");
+        fmt.debug_struct("Ssl")
-        builder.field("state", &self.state_string_long());
+            .field("state", &self.state_string_long())
-        if let Some(err) = self.verify_result() {
+            .field("verify_result", &self.verify_result())
-            builder.field("verify_result", &err);
+            .finish()
-        }
-        builder.finish()
     }
 }
 
@@ -1870,8 +1868,8 @@ impl SslRef {
     /// This corresponds to [`SSL_get_verify_result`].
     ///
     /// [`SSL_get_verify_result`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_verify_result.html
-    pub fn verify_result(&self) -> Option<X509VerifyError> {
+    pub fn verify_result(&self) -> X509VerifyResult {
-        unsafe { X509VerifyError::from_raw(ffi::SSL_get_verify_result(self.as_ptr())) }
+        unsafe { X509VerifyResult::from_raw(ffi::SSL_get_verify_result(self.as_ptr()) as c_int) }
     }
 
     /// Returns a shared reference to the SSL session.

openssl/src/ssl/tests/mod.rs

@@ -20,7 +20,7 @@ use ocsp::{OcspResponse, OcspResponseStatus};
 use ssl;
 use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptor, SslConnector, SslContext,
           SslMethod, SslStream, SslVerifyMode, StatusType};
-use x509::{X509, X509Filetype, X509Name, X509StoreContext};
+use x509::{X509, X509Filetype, X509Name, X509StoreContext, X509VerifyResult};
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 use x509::verify::X509CheckFlags;
 use pkey::PKey;
@@ -133,7 +133,7 @@ macro_rules! run_test(
             use ssl::SslMethod;
             use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions};
             use hash::MessageDigest;
-            use x509::X509StoreContext;
+            use x509::{X509StoreContext, X509VerifyResult};
             #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
             use x509::X509;
             #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
@@ -255,7 +255,7 @@ run_test!(verify_callback_load_certs, |method, stream| {
 run_test!(verify_trusted_get_error_ok, |method, stream| {
     let mut ctx = SslContext::builder(method).unwrap();
     ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
-        assert!(x509_ctx.error().is_none());
+        assert!(x509_ctx.error() == X509VerifyResult::OK);
         true
     });
 
@@ -269,7 +269,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| {
 run_test!(verify_trusted_get_error_err, |method, stream| {
     let mut ctx = SslContext::builder(method).unwrap();
     ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| {
-        assert!(x509_ctx.error().is_some());
+        assert_ne!(x509_ctx.error(), X509VerifyResult::OK);
         false
     });
 

openssl/src/x509/mod.rs

@@ -16,6 +16,7 @@ use asn1::{Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef, Asn1StringRef, Asn1T
 use bio::MemBioSlice;
 use conf::ConfRef;
 use error::ErrorStack;
+use ex_data::Index;
 use hash::MessageDigest;
 use nid::Nid;
 use pkey::{PKey, PKeyRef};
@@ -59,9 +60,34 @@ foreign_type_and_impl_send_sync! {
     pub struct X509StoreContextRef;
 }
 
+impl X509StoreContext {
+    /// Returns the index which can be used to obtain a reference to the `Ssl` associated with a
+    /// context.
+    pub fn ssl_idx() -> Result<Index<X509StoreContext, SslRef>, ErrorStack> {
+        unsafe { cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx()).map(|idx| Index::from_raw(idx)) }
+    }
+}
+
 impl X509StoreContextRef {
-    pub fn error(&self) -> Option<X509VerifyError> {
+    pub fn ex_data<T>(&self, index: Index<X509StoreContext, T>) -> Option<&T> {
-        unsafe { X509VerifyError::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr()) as c_long) }
+        unsafe {
+            let data = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), index.as_raw());
+            if data.is_null() {
+                None
+            } else {
+                Some(&*(data as *const T))
+            }
+        }
+    }
+
+    pub fn error(&self) -> X509VerifyResult {
+        unsafe { X509VerifyResult::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) }
+    }
+
+    pub fn set_error(&mut self, result: X509VerifyResult) {
+        unsafe {
+            ffi::X509_STORE_CTX_set_error(self.as_ptr(), result.as_raw());
+        }
     }
 
     pub fn current_cert(&self) -> Option<&X509Ref> {
@@ -84,22 +110,9 @@ impl X509StoreContextRef {
             let chain = X509_STORE_CTX_get_chain(self.as_ptr());
 
             if chain.is_null() {
-                return None;
+                None
-            }
-
-            Some(StackRef::from_ptr(chain))
-        }
-    }
-
-    /// Returns a reference to the `Ssl` associated with this context.
-    pub fn ssl(&self) -> Result<Option<&SslRef>, ErrorStack> {
-        unsafe {
-            let idx = cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx())?;
-            let ssl = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), idx);
-            if ssl.is_null() {
-                Ok(None)
             } else {
-                Ok(Some(SslRef::from_ptr(ssl as *mut ffi::SSL)))
+                Some(StackRef::from_ptr(chain))
             }
         }
     }
@@ -343,13 +356,10 @@ impl X509Ref {
     }
 
     /// Checks that this certificate issued `subject`.
-    pub fn issued(&self, subject: &X509Ref) -> Result<(), X509VerifyError> {
+    pub fn issued(&self, subject: &X509Ref) -> X509VerifyResult {
         unsafe {
             let r = ffi::X509_check_issued(self.as_ptr(), subject.as_ptr());
-            match X509VerifyError::from_raw(r as c_long) {
+            X509VerifyResult::from_raw(r)
-                Some(e) => Err(e),
-                None => Ok(()),
-            }
         }
     }
 
@@ -746,47 +756,42 @@ impl X509ReqRef {
     }
 }
 
-pub struct X509VerifyError(c_long);
+#[derive(Copy, Clone, PartialEq, Eq)]
+pub struct X509VerifyResult(c_int);
 
-impl fmt::Debug for X509VerifyError {
+impl fmt::Debug for X509VerifyResult {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        fmt.debug_struct("X509VerifyError")
+        fmt.debug_struct("X509VerifyResult")
             .field("code", &self.0)
             .field("error", &self.error_string())
             .finish()
     }
 }
 
-impl fmt::Display for X509VerifyError {
+impl fmt::Display for X509VerifyResult {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
         fmt.write_str(self.error_string())
     }
 }
 
-impl Error for X509VerifyError {
+impl Error for X509VerifyResult {
     fn description(&self) -> &str {
         "an X509 validation error"
     }
 }
 
-impl X509VerifyError {
+impl X509VerifyResult {
-    /// Creates an `X509VerifyError` from a raw error number.
+    /// Creates an `X509VerifyResult` from a raw error number.
-    ///
-    /// `None` will be returned if `err` is `X509_V_OK`.
     ///
     /// # Safety
     ///
-    /// Some methods on `X509VerifyError` are not thread safe if the error
+    /// Some methods on `X509VerifyResult` are not thread safe if the error
     /// number is invalid.
-    pub unsafe fn from_raw(err: c_long) -> Option<X509VerifyError> {
+    pub unsafe fn from_raw(err: c_int) -> X509VerifyResult {
-        if err == ffi::X509_V_OK as c_long {
+        X509VerifyResult(err)
-            None
-        } else {
-            Some(X509VerifyError(err))
-        }
     }
 
-    pub fn as_raw(&self) -> c_long {
+    pub fn as_raw(&self) -> c_int {
         self.0
     }
 
@@ -794,10 +799,14 @@ impl X509VerifyError {
         ffi::init();
 
         unsafe {
-            let s = ffi::X509_verify_cert_error_string(self.0);
+            let s = ffi::X509_verify_cert_error_string(self.0 as c_long);
             str::from_utf8(CStr::from_ptr(s).to_bytes()).unwrap()
         }
     }
+
+    pub const OK: X509VerifyResult = X509VerifyResult(ffi::X509_V_OK);
+    pub const APPLICATION_VERIFICATION: X509VerifyResult =
+        X509VerifyResult(ffi::X509_V_ERR_APPLICATION_VERIFICATION);
 }
 
 foreign_type_and_impl_send_sync! {

openssl/src/x509/tests.rs

@@ -7,7 +7,7 @@ use nid::Nid;
 use pkey::PKey;
 use rsa::Rsa;
 use stack::Stack;
-use x509::{X509, X509Name, X509Req};
+use x509::{X509, X509Name, X509Req, X509VerifyResult};
 use x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, KeyUsage,
                       SubjectAlternativeName, SubjectKeyIdentifier};
 
@@ -253,8 +253,8 @@ fn issued() {
     let ca = include_bytes!("../../test/root-ca.pem");
     let ca = X509::from_pem(ca).unwrap();
 
-    ca.issued(&cert).unwrap();
+    assert_eq!(ca.issued(&cert), X509VerifyResult::OK);
-    cert.issued(&cert).err().unwrap();
+    assert_ne!(cert.issued(&cert), X509VerifyResult::OK);
 }
 
 #[test]