Merge branch 'release-sys-v0.7.17-v0.8.2' into release

README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://travis-ci.org/sfackler/rust-openssl.svg?branch=master)](https://travis-ci.org/sfackler/rust-openssl)
 
-[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.8.1/openssl).
+[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.8.2/openssl).
 
 ## Building
 

openssl-sys/Cargo.toml

@@ -1,12 +1,12 @@
 [package]
 name = "openssl-sys"
-version = "0.7.16"
+version = "0.7.17"
 authors = ["Alex Crichton <alex@alexcrichton.com>",
            "Steven Fackler <sfackler@gmail.com>"]
 license = "MIT"
 description = "FFI bindings to OpenSSL"
 repository = "https://github.com/sfackler/rust-openssl"
-documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.16/openssl_sys"
+documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.17/openssl_sys"
 links = "openssl"
 build = "build.rs"
 

openssl-sys/src/lib.rs

@@ -1,13 +1,13 @@
 #![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)]
 #![allow(dead_code)]
-#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.16")]
+#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.17")]
 
 extern crate libc;
 
 #[cfg(target_os = "nacl")]
 extern crate libressl_pnacl_sys;
 
-use libc::{c_void, c_int, c_char, c_ulong, c_long, c_uint, c_uchar, size_t};
+use libc::{c_void, c_int, c_char, c_ulong, c_long, c_uint, c_uchar, size_t, FILE};
 use std::mem;
 use std::ptr;
 use std::sync::{Mutex, MutexGuard};
@@ -625,13 +625,16 @@ extern "C" {
     pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int;
     pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING;
     pub fn ASN1_TIME_free(tm: *mut ASN1_TIME);
+    pub fn ASN1_TIME_print(b: *mut BIO, tm: *const ASN1_TIME) -> c_int;
 
     pub fn BIO_ctrl(b: *mut BIO, cmd: c_int, larg: c_long, parg: *mut c_void) -> c_long;
     pub fn BIO_free_all(b: *mut BIO);
     pub fn BIO_new(type_: *const BIO_METHOD) -> *mut BIO;
+    pub fn BIO_new_fp(stream: *mut FILE, close_flag: c_int) -> *mut BIO;
     pub fn BIO_new_socket(sock: c_int, close_flag: c_int) -> *mut BIO;
     pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int;
     pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int;
+    pub fn BIO_s_file() -> *const BIO_METHOD;
     pub fn BIO_s_mem() -> *const BIO_METHOD;
     pub fn BIO_new_mem_buf(buf: *const c_void, len: c_int) -> *mut BIO;
     pub fn BIO_set_flags(b: *mut BIO, flags: c_int);
@@ -1070,6 +1073,7 @@ extern "C" {
     pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
     pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
 
+    pub fn d2i_X509(a: *mut *mut X509, pp: *mut *mut c_uchar, length: c_long) -> *mut X509;
     pub fn i2d_X509_bio(b: *mut BIO, x: *mut X509) -> c_int;
     pub fn i2d_X509_REQ_bio(b: *mut BIO, x: *mut X509_REQ) -> c_int;
 

openssl/Cargo.toml

@@ -1,11 +1,11 @@
 [package]
 name = "openssl"
-version = "0.8.1"
+version = "0.8.2"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
 license = "Apache-2.0"
 description = "OpenSSL bindings"
 repository = "https://github.com/sfackler/rust-openssl"
-documentation = "https://sfackler.github.io/rust-openssl/doc/v0.8.1/openssl"
+documentation = "https://sfackler.github.io/rust-openssl/doc/v0.8.2/openssl"
 readme = "../README.md"
 keywords = ["crypto", "tls", "ssl", "dtls"]
 build = "build.rs"
@@ -30,6 +30,7 @@ hmac_clone = ["openssl-sys/hmac_clone"]
 c_helpers = ["gcc"]
 x509_clone = ["c_helpers"]
 x509_generator_request = ["c_helpers"]
+x509_expiry = ["c_helpers"]
 ssl_context_clone = ["c_helpers"]
 hmac = ["c_helpers"]
 dh_from_params = ["c_helpers"]
@@ -38,7 +39,7 @@ dh_from_params = ["c_helpers"]
 bitflags = "0.7"
 lazy_static = "0.2"
 libc = "0.2"
-openssl-sys = { version = "0.7.16", path = "../openssl-sys" }
+openssl-sys = { version = "0.7.17", path = "../openssl-sys" }
 
 [build-dependencies]
 gcc = { version = "0.3", optional = true }

openssl/src/asn1/mod.rs

@@ -1,15 +1,19 @@
 use libc::c_long;
-use std::ptr;
+use std::{ptr, fmt};
+use std::marker::PhantomData;
+use std::ops::Deref;
 
+use bio::MemBio;
 use ffi;
 use error::ErrorStack;
 
-pub struct Asn1Time(*mut ffi::ASN1_TIME);
+/// Corresponds to the ASN.1 structure Time defined in RFC5280
+pub struct Asn1Time(Asn1TimeRef<'static>);
 
 impl Asn1Time {
     /// Wraps existing ASN1_TIME and takes ownership
     pub unsafe fn from_ptr(handle: *mut ffi::ASN1_TIME) -> Asn1Time {
-        Asn1Time(handle)
+        Asn1Time(Asn1TimeRef::from_ptr(handle))
     }
 
     fn from_period(period: c_long) -> Result<Asn1Time, ErrorStack> {
@@ -25,6 +29,24 @@ impl Asn1Time {
     pub fn days_from_now(days: u32) -> Result<Asn1Time, ErrorStack> {
         Asn1Time::from_period(days as c_long * 60 * 60 * 24)
     }
+}
+
+impl Deref for Asn1Time {
+    type Target = Asn1TimeRef<'static>;
+
+    fn deref(&self) -> &Asn1TimeRef<'static> {
+        &self.0
+    }
+}
+
+/// A borrowed Asn1Time
+pub struct Asn1TimeRef<'a>(*mut ffi::ASN1_TIME, PhantomData<&'a ()>);
+
+impl<'a> Asn1TimeRef<'a> {
+    /// Creates a new `Asn1TimeRef` wrapping the provided handle.
+    pub unsafe fn from_ptr(handle: *mut ffi::ASN1_TIME) -> Asn1TimeRef<'a> {
+        Asn1TimeRef(handle, PhantomData)
+    }
 
     /// Returns the raw handle
     pub fn as_ptr(&self) -> *mut ffi::ASN1_TIME {
@@ -32,8 +54,19 @@ impl Asn1Time {
     }
 }
 
-impl Drop for Asn1Time {
-    fn drop(&mut self) {
-        unsafe { ffi::ASN1_TIME_free(self.0) };
+impl<'a> fmt::Display for Asn1TimeRef<'a> {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        let mem_bio = try!(MemBio::new());
+        let as_str = unsafe {
+            try_ssl!(ffi::ASN1_TIME_print(mem_bio.as_ptr(), self.0));
+            String::from_utf8_unchecked(mem_bio.get_buf().to_owned())
+        };
+        write!(f, "{}", as_str)
+    }
+}
+
+impl Drop for Asn1Time {
+    fn drop(&mut self) {
+        unsafe { ffi::ASN1_TIME_free(self.as_ptr()) };
     }
 }

openssl/src/c_helpers.c

@@ -15,6 +15,14 @@ STACK_OF(X509_EXTENSION) *rust_0_8_X509_get_extensions(X509 *x) {
     return x->cert_info ? x->cert_info->extensions : NULL;
 }
 
+ASN1_TIME* rust_0_8_X509_get_notAfter(X509 *x) {
+  return X509_get_notAfter(x);
+}
+
+ASN1_TIME* rust_0_8_X509_get_notBefore(X509 *x) {
+  return X509_get_notBefore(x);
+}
+
 DH *rust_0_8_DH_new_from_params(BIGNUM *p, BIGNUM *g, BIGNUM *q) {
     DH *dh;
 

openssl/src/c_helpers.rs

@@ -6,7 +6,8 @@ extern "C" {
     pub fn rust_0_8_SSL_CTX_clone(cxt: *mut ffi::SSL_CTX);
     pub fn rust_0_8_X509_clone(x509: *mut ffi::X509);
     pub fn rust_0_8_X509_get_extensions(x: *mut ffi::X509) -> *mut ffi::stack_st_X509_EXTENSION;
-
+    pub fn rust_0_8_X509_get_notAfter(x: *mut ffi::X509) -> *mut ffi::ASN1_TIME;
+    pub fn rust_0_8_X509_get_notBefore(x: *mut ffi::X509) -> *mut ffi::ASN1_TIME;
     pub fn rust_0_8_HMAC_Init_ex(ctx: *mut ffi::HMAC_CTX, key: *const c_void, keylen: c_int, md: *const ffi::EVP_MD, impl_: *mut ffi::ENGINE) -> c_int;
     pub fn rust_0_8_HMAC_Final(ctx: *mut ffi::HMAC_CTX, output: *mut c_uchar, len: *mut c_uint) -> c_int;
     pub fn rust_0_8_HMAC_Update(ctx: *mut ffi::HMAC_CTX, input: *const c_uchar, len: c_uint) -> c_int;

openssl/src/error.rs

@@ -54,6 +54,12 @@ impl From<ErrorStack> for io::Error {
     }
 }
 
+impl From<ErrorStack> for fmt::Error {
+    fn from(_: ErrorStack) -> fmt::Error {
+        fmt::Error
+    }
+}
+
 /// An error reported from OpenSSL.
 pub struct Error(c_ulong);
 

openssl/src/lib.rs

@@ -1,4 +1,4 @@
-#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.8.1")]
+#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.8.2")]
 
 #[macro_use]
 extern crate bitflags;

openssl/src/ssl/mod.rs

@@ -535,9 +535,14 @@ impl<'a> SslContextRef<'a> {
     /// Adds a certificate to the certificate chain presented together with the
     /// certificate specified using set_certificate()
     pub fn add_extra_chain_cert(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> {
-        wrap_ssl_result(unsafe {
-            ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr()) as c_int
-        })
+        // FIXME this should really just take an X509 by value
+        let der = try!(cert.to_der());
+        let cert = try!(X509::from_der(&der));
+        unsafe {
+            try_ssl!(ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr()));
+        }
+        mem::forget(cert);
+        Ok(())
     }
 
     /// Specifies the file that contains private key

openssl/src/ssl/tests/mod.rs

@@ -909,6 +909,7 @@ fn test_write_nonblocking() {
 }
 
 #[test]
+#[cfg_attr(windows, ignore)] // FIXME flickers on appveyor
 fn test_read_nonblocking() {
     let (_s, stream) = Server::new();
     stream.set_nonblocking(true).unwrap();
@@ -1080,3 +1081,11 @@ fn default_verify_paths() {
     assert!(result.starts_with(b"HTTP/1.0"));
     assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
 }
+
+#[test]
+fn add_extra_chain_cert() {
+    let cert = include_bytes!("../../../test/cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+    let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+    ctx.add_extra_chain_cert(&cert).unwrap();
+}

openssl/src/x509/mod.rs

@@ -1,4 +1,5 @@
 use libc::{c_char, c_int, c_long, c_ulong, c_void};
+use std::cmp;
 use std::ffi::CString;
 use std::mem;
 use std::ptr;
@@ -11,6 +12,9 @@ use std::marker::PhantomData;
 
 use HashTypeInternals;
 use asn1::Asn1Time;
+#[cfg(feature = "x509_expiry")]
+use asn1::Asn1TimeRef;
+
 use bio::{MemBio, MemBioSlice};
 use crypto::hash;
 use crypto::hash::Type as HashType;
@@ -433,6 +437,28 @@ impl<'a> X509Ref<'a> {
         }
     }
 
+    /// Returns certificate Not After validity period.
+    /// Requires the `x509_expiry` feature.
+    #[cfg(feature = "x509_expiry")]
+    pub fn not_after<'b>(&'b self) -> Asn1TimeRef<'b> {
+        unsafe {
+            let date = ::c_helpers::rust_0_8_X509_get_notAfter(self.0);
+            assert!(!date.is_null());
+            Asn1TimeRef::from_ptr(date)
+        }
+    }
+
+    /// Returns certificate Not Before validity period.
+    /// Requires the `x509_expiry` feature.
+    #[cfg(feature = "x509_expiry")]
+    pub fn not_before<'b>(&'b self) -> Asn1TimeRef<'b> {
+        unsafe {
+            let date = ::c_helpers::rust_0_8_X509_get_notBefore(self.0);
+            assert!(!date.is_null());
+            Asn1TimeRef::from_ptr(date)
+        }
+    }
+
     /// Writes certificate as PEM
     pub fn to_pem(&self) -> Result<Vec<u8>, ErrorStack> {
         let mem_bio = try!(MemBio::new());
@@ -467,6 +493,16 @@ impl X509 {
         X509::from_ptr(x509)
     }
 
+    /// Reads a certificate from DER.
+    pub fn from_der(buf: &[u8]) -> Result<X509, ErrorStack> {
+        unsafe {
+            let mut ptr = buf.as_ptr() as *mut _;
+            let len = cmp::min(buf.len(), c_long::max_value() as usize) as c_long;
+            let x509 = try_ssl_null!(ffi::d2i_X509(ptr::null_mut(), &mut ptr, len));
+            Ok(X509::from_ptr(x509))
+        }
+    }
+
     /// Reads a certificate from PEM.
     pub fn from_pem(buf: &[u8]) -> Result<X509, ErrorStack> {
         let mem_bio = try!(MemBioSlice::new(buf));

openssl/src/x509/tests.rs

@@ -92,6 +92,18 @@ fn test_cert_loading() {
     assert_eq!(fingerprint, hash_vec);
 }
 
+#[test]
+#[cfg(feature = "x509_expiry")]
+fn test_cert_issue_validity() {
+    let cert = include_bytes!("../../test/cert.pem");
+    let cert = X509::from_pem(cert).ok().expect("Failed to load PEM");
+    let not_before = cert.not_before().to_string();
+    let not_after = cert.not_after().to_string();
+
+    assert_eq!(not_before, "Aug 14 17:00:03 2016 GMT");
+    assert_eq!(not_after, "Aug 12 17:00:03 2026 GMT");
+}
+
 #[test]
 fn test_save_der() {
     let cert = include_bytes!("../../test/cert.pem");

openssl/test/build.sh

@@ -1,6 +1,11 @@
 #!/bin/bash
 set -e
 
+MAX_REDIRECTS=5
+OPENSSL=openssl-1.0.2h.tar.gz
+OUT=/tmp/$OPENSSL
+SHA1="577585f5f5d299c44dd3c993d3c0ac7a219e4949"
+
 if [ "$TRAVIS_OS_NAME" == "osx" ]; then
     exit 0
 fi
@@ -13,9 +18,16 @@ else
     OS_COMPILER=linux-x86_64
 fi
 
-mkdir /tmp/openssl
+mkdir -p /tmp/openssl
 cd /tmp/openssl
-curl https://openssl.org/source/openssl-1.0.2h.tar.gz | tar --strip-components=1 -xzf -
+
+curl -o $OUT -L --max-redirs $MAX_REDIRECTS https://openssl.org/source/$OPENSSL \
+  || curl -o $OUT -L --max-redirs ${MAX_REDIRECTS} http://mirrors.ibiblio.org/openssl/source/$OPENSSL
+
+echo "$SHA1  $OUT" | sha1sum -c -
+
+tar --strip-components=1 -xzf $OUT
+
 ./Configure --prefix=$HOME/openssl shared --cross-compile-prefix=$CROSS $OS_COMPILER
 make
 make install

openssl/test/run.sh

@@ -4,7 +4,7 @@ set -e
 MAIN_TARGETS=https://static.rust-lang.org/dist
 
 if [ "$TEST_FEATURES" == "true" ]; then
-    FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv3 aes_xts aes_ctr npn alpn rfc5114 ecdh_auto pkcs5_pbkdf2_hmac x509_clone ssl_context_clone x509_generator_request hmac hmac_clone dh_from_params"
+    FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv3 aes_xts aes_ctr npn alpn rfc5114 ecdh_auto pkcs5_pbkdf2_hmac x509_clone ssl_context_clone x509_generator_request hmac hmac_clone dh_from_params x509_expiry"
 fi
 
 if [ "$TRAVIS_OS_NAME" != "osx" ]; then