min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #795 from sfackler/host-overhaul 

Allow SNI and hostname verification to be configured separately
This commit is contained in:
Steven Fackler 2017-12-23 19:00:44 -08:00 committed by GitHub
parent 4c47aca508 25984aa183
commit 82d3ac948b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 148 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
openssl/src/dh.rs
View File

@ -95,7 +95,7 @@ mod compat {
mod tests { mod tests {
use dh::Dh; use dh::Dh;
use bn::BigNum; use bn::BigNum;
use ssl::{SslMethod, SslContext}; use ssl::{SslContext, SslMethod};
#[test] #[test]
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
@ -113,30 +113,23 @@ mod tests {
fn test_dh() { fn test_dh() {
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
let p = BigNum::from_hex_str( let p = BigNum::from_hex_str(
"87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435\ "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF\
E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF429\ 4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B47\
6D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C02\ 58C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B6\
2E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF1230\ 3ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5\
7F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9\ 140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710\
A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251C\ C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597",
CACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE\
621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D227\
6E11715F693877FAD7EF09CADB094AE91E1A1597",
).unwrap(); ).unwrap();
let g = BigNum::from_hex_str( let g = BigNum::from_hex_str(
"3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0\ "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED\
BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773\ 4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A\
BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2D\ 57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5\
DF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428E\ 045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E\
BC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BF\ 052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67E\
FE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7\ B6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659",
D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92\
B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148\
D47954515E2327CFEF98C582664B4C0F6CC41659",
).unwrap(); ).unwrap();
let q = BigNum::from_hex_str( let q = BigNum::from_hex_str(
"8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F\ "8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3",
5FBD3",
).unwrap(); ).unwrap();
let dh = Dh::from_params(p, g, q).unwrap(); let dh = Dh::from_params(p, g, q).unwrap();
ctx.set_tmp_dh(&dh).unwrap(); ctx.set_tmp_dh(&dh).unwrap();

9
openssl/src/pkcs12.rs
View File

@ -147,16 +147,17 @@ impl Pkcs12Builder {
password: &str, password: &str,
friendly_name: &str, friendly_name: &str,
pkey: &PKeyRef, pkey: &PKeyRef,
cert: &X509, cert: &X509, // FIXME X509Ref
) -> Result<Pkcs12, ErrorStack> { ) -> Result<Pkcs12, ErrorStack> {
unsafe { unsafe {
let pass = CString::new(password).unwrap(); let pass = CString::new(password).unwrap();
let friendly_name = CString::new(friendly_name).unwrap(); let friendly_name = CString::new(friendly_name).unwrap();
let pkey = pkey.as_ptr(); let pkey = pkey.as_ptr();
let cert = cert.as_ptr(); let cert = cert.as_ptr();
let ca = self.ca.as_ref().map(|ca| ca.as_ptr()).unwrap_or( let ca = self.ca
ptr::null_mut(), .as_ref()
); .map(|ca| ca.as_ptr())
.unwrap_or(ptr::null_mut());
let nid_key = self.nid_key.as_raw(); let nid_key = self.nid_key.as_raw();
let nid_cert = self.nid_cert.as_raw(); let nid_cert = self.nid_cert.as_raw();

129
openssl/src/ssl/connector.rs
View File

@ -132,13 +132,9 @@ impl SslConnector {
self.configure()?.connect(domain, stream) self.configure()?.connect(domain, stream)
} }
/// Initiates a client-side TLS session on a stream without performing hostname verification. #[deprecated(
/// since = "0.9.24",
/// # Warning note = "use `ConnectConfiguration::verify_hostname` and `ConnectConfiguration::use_server_name_indication` instead")]
///
/// You should think very carefully before you use this method. If hostname verification is not
/// used, *any* valid certificate for *any* site will be trusted for use from any other. This
/// introduces a significant vulnerability to man-in-the-middle attacks.
pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication< pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<
S, S,
>( >(
@ -149,53 +145,80 @@ impl SslConnector {
S: Read + Write, S: Read + Write,
{ {
self.configure()? self.configure()?
.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(stream) .use_server_name_indication(false)
.verify_hostname(false)
.connect("", stream)
} }
/// Returns a structure allowing for configuration of a single TLS session before connection. /// Returns a structure allowing for configuration of a single TLS session before connection.
pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> { pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
Ssl::new(&self.0).map(ConnectConfiguration) Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true })
} }
} }
/// A type which allows for configuration of a client-side TLS session before connection. /// A type which allows for configuration of a client-side TLS session before connection.
pub struct ConnectConfiguration(Ssl); pub struct ConnectConfiguration {
ssl: Ssl,
sni: bool,
verify_hostname: bool,
}
impl ConnectConfiguration { impl ConnectConfiguration {
#[deprecated(since = "0.9.23", #[deprecated(since = "0.9.23",
note = "ConnectConfiguration now implements Deref<Target=SslRef>")] note = "ConnectConfiguration now implements Deref<Target=SslRef>")]
pub fn ssl(&self) -> &Ssl { pub fn ssl(&self) -> &Ssl {
&self.0 &self.ssl
} }
#[deprecated(since = "0.9.23", #[deprecated(since = "0.9.23",
note = "ConnectConfiguration now implements DerefMut<Target=SslRef>")] note = "ConnectConfiguration now implements DerefMut<Target=SslRef>")]
pub fn ssl_mut(&mut self) -> &mut Ssl { pub fn ssl_mut(&mut self) -> &mut Ssl {
&mut self.0 &mut self.ssl
} }
/// Initiates a client-side TLS session on a stream. /// Configures the use of Server Name Indication (SNI) when connecting.
/// ///
/// The domain is used for SNI and hostname verification. /// Defaults to `true`.
pub fn connect<S>(mut self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>> pub fn use_server_name_indication(mut self, use_sni: bool) -> ConnectConfiguration {
where self.sni = use_sni;
S: Read + Write, self
{
self.0.set_hostname(domain)?;
setup_verify_hostname(&mut self.0, domain)?;
self.0.connect(stream)
} }
/// Initiates a client-side TLS session on a stream without performing hostname verification. /// Configures the use of hostname verification when connecting.
/// ///
/// The verification configuration of the connector's `SslContext` is not overridden. /// Defaults to `true`.
/// ///
/// # Warning /// # Warning
/// ///
/// You should think very carefully before you use this method. If hostname verification is not /// You should think very carefully before you use this method. If hostname verification is not
/// used, *any* valid certificate for *any* site will be trusted for use from any other. This /// used, *any* valid certificate for *any* site will be trusted for use from any other. This
/// introduces a significant vulnerability to man-in-the-middle attacks. /// introduces a significant vulnerability to man-in-the-middle attacks.
pub fn verify_hostname(mut self, verify_hostname: bool) -> ConnectConfiguration {
self.verify_hostname = verify_hostname;
self
}
/// Initiates a client-side TLS session on a stream.
///
/// The domain is used for SNI and hostname verification if enabled.
pub fn connect<S>(mut self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
where
S: Read + Write,
{
if self.sni {
self.ssl.set_hostname(domain)?;
}
if self.verify_hostname {
setup_verify_hostname(&mut self.ssl, domain)?;
}
self.ssl.connect(stream)
}
#[deprecated(
since = "0.9.24",
note = "use `ConnectConfiguration::verify_hostname` and `ConnectConfiguration::use_server_name_indication` instead")]
pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication< pub fn danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication<
S, S,
>( >(
@ -205,7 +228,7 @@ impl ConnectConfiguration {
where where
S: Read + Write, S: Read + Write,
{ {
self.0.connect(stream) self.use_server_name_indication(false).verify_hostname(false).connect("", stream)
} }
} }
@ -213,13 +236,13 @@ impl Deref for ConnectConfiguration {
type Target = SslRef; type Target = SslRef;
fn deref(&self) -> &SslRef { fn deref(&self) -> &SslRef {
&self.0 &self.ssl
} }
} }
impl DerefMut for ConnectConfiguration { impl DerefMut for ConnectConfiguration {
fn deref_mut(&mut self) -> &mut SslRef { fn deref_mut(&mut self) -> &mut SslRef {
&mut self.0 &mut self.ssl
} }
} }
@ -471,7 +494,7 @@ mod verify {
} }
Err(_) => { Err(_) => {
if let Some(pattern) = name.dnsname() { if let Some(pattern) = name.dnsname() {
if matches_dns(pattern, domain, false) { if matches_dns(pattern, domain) {
return true; return true;
} }
} }
@ -483,26 +506,25 @@ mod verify {
} }
fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool { fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
if let Some(pattern) = subject_name.entries_by_nid(nid::COMMONNAME).next() { match subject_name.entries_by_nid(nid::COMMONNAME).next() {
Some(pattern) => {
let pattern = match str::from_utf8(pattern.data().as_slice()) { let pattern = match str::from_utf8(pattern.data().as_slice()) {
Ok(pattern) => pattern, Ok(pattern) => pattern,
Err(_) => return false, Err(_) => return false,
}; };
// Unlike with SANs, IP addresses in the subject name don't have a // Unlike SANs, IP addresses in the subject name don't have a
// different encoding. We need to pass this down to matches_dns to // different encoding.
// disallow wildcard matches with bogus patterns like *.0.0.1 match domain.parse::<IpAddr>() {
let is_ip = domain.parse::<IpAddr>().is_ok(); Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip),
Err(_) => matches_dns(pattern, domain),
if matches_dns(&pattern, domain, is_ip) { }
return true; }
None => false,
} }
} }
false fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool {
}
fn matches_dns(mut pattern: &str, mut hostname: &str, is_ip: bool) -> bool {
// first strip trailing . off of pattern and hostname to normalize // first strip trailing . off of pattern and hostname to normalize
if pattern.ends_with('.') { if pattern.ends_with('.') {
pattern = &pattern[..pattern.len() - 1]; pattern = &pattern[..pattern.len() - 1];
@ -511,12 +533,12 @@ mod verify {
hostname = &hostname[..hostname.len() - 1]; hostname = &hostname[..hostname.len() - 1];
} }
matches_wildcard(pattern, hostname, is_ip).unwrap_or_else(|| pattern == hostname) matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern == hostname)
} }
fn matches_wildcard(pattern: &str, hostname: &str, is_ip: bool) -> Option<bool> { fn matches_wildcard(pattern: &str, hostname: &str) -> Option<bool> {
// IP addresses and internationalized domains can't involved in wildcards // internationalized domains can't involved in wildcards
if is_ip || pattern.starts_with("xn--") { if pattern.starts_with("xn--") {
return None; return None;
} }
@ -578,22 +600,9 @@ mod verify {
} }
fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool { fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
match (expected, actual.len()) { match *expected {
(&IpAddr::V4(ref addr), 4) => actual == addr.octets(), IpAddr::V4(ref addr) => actual == addr.octets(),
(&IpAddr::V6(ref addr), 16) => { IpAddr::V6(ref addr) => actual == addr.octets(),
let segments = [
((actual[0] as u16) << 8) | actual[1] as u16,
((actual[2] as u16) << 8) | actual[3] as u16,
((actual[4] as u16) << 8) | actual[5] as u16,
((actual[6] as u16) << 8) | actual[7] as u16,
((actual[8] as u16) << 8) | actual[9] as u16,
((actual[10] as u16) << 8) | actual[11] as u16,
((actual[12] as u16) << 8) | actual[13] as u16,
((actual[14] as u16) << 8) | actual[15] as u16,
];
segments == addr.segments()
}
_ => false,
} }
} }
} }

84
openssl/src/ssl/tests/mod.rs
View File

@ -6,10 +6,10 @@ use std::io::prelude::*;
use std::io::{self, BufReader}; use std::io::{self, BufReader};
use std::iter; use std::iter;
use std::mem; use std::mem;
use std::net::{TcpStream, TcpListener, SocketAddr}; use std::net::{SocketAddr, TcpListener, TcpStream};
use std::path::Path; use std::path::Path;
use std::process::{Command, Child, Stdio, ChildStdin}; use std::process::{Child, ChildStdin, Command, Stdio};
use std::sync::atomic::{AtomicBool, ATOMIC_BOOL_INIT, Ordering}; use std::sync::atomic::{AtomicBool, Ordering, ATOMIC_BOOL_INIT};
use std::thread; use std::thread;
use std::time::Duration; use std::time::Duration;
use tempdir::TempDir; use tempdir::TempDir;
@ -18,10 +18,9 @@ use dh::Dh;
use hash::MessageDigest; use hash::MessageDigest;
use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED}; use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED};
use ssl; use ssl;
use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder,
SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE, SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP};
STATUS_TYPE_OCSP}; use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM};
use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM};
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
use pkey::PKey; use pkey::PKey;
@ -35,7 +34,7 @@ static CERT: &'static [u8] = include_bytes!("../../../test/cert.pem");
static KEY: &'static [u8] = include_bytes!("../../../test/key.pem"); static KEY: &'static [u8] = include_bytes!("../../../test/key.pem");
fn next_addr() -> SocketAddr { fn next_addr() -> SocketAddr {
use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering}; use std::sync::atomic::{AtomicUsize, Ordering, ATOMIC_USIZE_INIT};
static PORT: AtomicUsize = ATOMIC_USIZE_INIT; static PORT: AtomicUsize = ATOMIC_USIZE_INIT;
let port = 15411 + PORT.fetch_add(1, Ordering::SeqCst); let port = 15411 + PORT.fetch_add(1, Ordering::SeqCst);
@ -104,15 +103,13 @@ impl Server {
#[allow(dead_code)] #[allow(dead_code)]
fn new_alpn() -> (Server, TcpStream) { fn new_alpn() -> (Server, TcpStream) {
Server::new_tcp( Server::new_tcp(&[
&[
"-www", "-www",
"-nextprotoneg", "-nextprotoneg",
"http/1.1,spdy/3.1", "http/1.1,spdy/3.1",
"-alpn", "-alpn",
"http/1.1,spdy/3.1", "http/1.1,spdy/3.1",
], ])
)
} }
} }
@ -157,10 +154,9 @@ macro_rules! run_test(
); );
); );
run_test!( run_test!(new_ctx, |method, _| {
new_ctx, SslContext::builder(method).unwrap();
|method, _| { SslContext::builder(method).unwrap(); } });
);
run_test!(verify_untrusted, |method, stream| { run_test!(verify_untrusted, |method, stream| {
let mut ctx = SslContext::builder(method).unwrap(); let mut ctx = SslContext::builder(method).unwrap();
@ -309,7 +305,7 @@ run_test!(verify_callback_data, |method, stream| {
}); });
run_test!(ssl_verify_callback, |method, stream| { run_test!(ssl_verify_callback, |method, stream| {
use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering}; use std::sync::atomic::{AtomicUsize, Ordering, ATOMIC_USIZE_INIT};
static CHECKED: AtomicUsize = ATOMIC_USIZE_INIT; static CHECKED: AtomicUsize = ATOMIC_USIZE_INIT;
@ -437,9 +433,9 @@ fn test_read() {
let mut stream = Ssl::new(&ctx.build()).unwrap().connect(tcp).unwrap(); let mut stream = Ssl::new(&ctx.build()).unwrap().connect(tcp).unwrap();
stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap();
stream.flush().unwrap(); stream.flush().unwrap();
io::copy(&mut stream, &mut io::sink()).ok().expect( io::copy(&mut stream, &mut io::sink())
"read error", .ok()
); .expect("read error");
} }
#[test] #[test]
@ -994,9 +990,8 @@ fn verify_valid_hostname() {
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
let mut ssl = Ssl::new(&ctx.build()).unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap();
ssl.param_mut().set_hostflags( ssl.param_mut()
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
);
ssl.param_mut().set_host("google.com").unwrap(); ssl.param_mut().set_host("google.com").unwrap();
let s = TcpStream::connect("google.com:443").unwrap(); let s = TcpStream::connect("google.com:443").unwrap();
@ -1019,9 +1014,8 @@ fn verify_invalid_hostname() {
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
let mut ssl = Ssl::new(&ctx.build()).unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap();
ssl.param_mut().set_hostflags( ssl.param_mut()
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
);
ssl.param_mut().set_host("foobar.com").unwrap(); ssl.param_mut().set_host("foobar.com").unwrap();
let s = TcpStream::connect("google.com:443").unwrap(); let s = TcpStream::connect("google.com:443").unwrap();
@ -1057,7 +1051,12 @@ fn connector_invalid_no_hostname_verification() {
let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build();
let s = TcpStream::connect("google.com:443").unwrap(); let s = TcpStream::connect("google.com:443").unwrap();
connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(s) connector
.configure()
.unwrap()
.use_server_name_indication(false)
.verify_hostname(false)
.connect("foobar.com", s)
.unwrap(); .unwrap();
} }
@ -1067,8 +1066,14 @@ fn connector_no_hostname_still_verifies() {
let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build();
assert!(connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp) assert!(
.is_err()); connector
.configure()
.unwrap()
.verify_hostname(false)
.connect("fizzbuzz.com", tcp)
.is_err()
);
} }
#[test] #[test]
@ -1079,7 +1084,12 @@ fn connector_no_hostname_can_disable_verify() {
connector.set_verify(SSL_VERIFY_NONE); connector.set_verify(SSL_VERIFY_NONE);
let connector = connector.build(); let connector = connector.build();
connector.danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication(tcp).unwrap(); connector
.configure()
.unwrap()
.verify_hostname(false)
.connect("foobar.com", tcp)
.unwrap();
} }
#[test] #[test]
@ -1101,9 +1111,7 @@ fn connector_client_server_mozilla_intermediate() {
}); });
let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
connector connector.set_ca_file("test/root-ca.pem").unwrap();
.set_ca_file("test/root-ca.pem")
.unwrap();
let connector = connector.build(); let connector = connector.build();
let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
@ -1135,9 +1143,7 @@ fn connector_client_server_mozilla_modern() {
}); });
let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap();
connector connector.set_ca_file("test/root-ca.pem").unwrap();
.set_ca_file("test/root-ca.pem")
.unwrap();
let connector = connector.build(); let connector = connector.build();
let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
@ -1239,7 +1245,8 @@ fn tmp_dh_callback() {
} }
#[test] #[test]
#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))), all(feature = "v102", ossl102)))] #[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))),
all(feature = "v102", ossl102)))]
fn tmp_ecdh_callback() { fn tmp_ecdh_callback() {
use ec::EcKey; use ec::EcKey;
use nid; use nid;
@ -1306,7 +1313,8 @@ fn tmp_dh_callback_ssl() {
} }
#[test] #[test]
#[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))), all(feature = "v102", ossl102)))] #[cfg(any(all(feature = "v101", ossl101, not(any(libressl261, libressl262, libressl26x))),
all(feature = "v102", ossl102)))]
fn tmp_ecdh_callback_ssl() { fn tmp_ecdh_callback_ssl() {
use ec::EcKey; use ec::EcKey;
use nid; use nid;

2
test/add_target.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
set -e set -eux
case "${TARGET}" in case "${TARGET}" in
"x86_64-unknown-linux-gnu") "x86_64-unknown-linux-gnu")

6
test/build_openssl.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
set -e set -eux
if [ -d "${OPENSSL_DIR}" ]; then if [ -d "${OPENSSL_DIR}" ]; then
exit 0 exit 0
@ -21,6 +21,7 @@ esac
case "${TARGET}" in case "${TARGET}" in
"x86_64-unknown-linux-gnu") "x86_64-unknown-linux-gnu")
OS_COMPILER=linux-x86_64 OS_COMPILER=linux-x86_64
OS_FLAGS=""
;; ;;
"i686-unknown-linux-gnu") "i686-unknown-linux-gnu")
OS_COMPILER=linux-elf OS_COMPILER=linux-elf
@ -28,6 +29,7 @@ case "${TARGET}" in
;; ;;
"arm-unknown-linux-gnueabihf") "arm-unknown-linux-gnueabihf")
OS_COMPILER=linux-armv4 OS_COMPILER=linux-armv4
OS_FLAGS=""
export AR=arm-linux-gnueabihf-ar export AR=arm-linux-gnueabihf-ar
export CC=arm-linux-gnueabihf-gcc export CC=arm-linux-gnueabihf-gcc
;; ;;
@ -53,4 +55,4 @@ case "${LIBRARY}" in
esac esac
make -j$(nproc) make -j$(nproc)
make install make install_sw