From 3456add537d03aef8a5becc9cbaa77910a1ecb3f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 29 May 2018 21:53:22 -0700 Subject: [PATCH] Add SslRef::verified_chain --- openssl-sys/src/openssl/v110.rs | 1 + openssl/src/ssl/mod.rs | 34 +++++++++++++++++++++++++-------- openssl/src/x509/store.rs | 10 ++++------ 3 files changed, 31 insertions(+), 14 deletions(-) diff --git a/openssl-sys/src/openssl/v110.rs b/openssl-sys/src/openssl/v110.rs index 4f1aa1c1..47d2bee4 100644 --- a/openssl-sys/src/openssl/v110.rs +++ b/openssl-sys/src/openssl/v110.rs @@ -280,6 +280,7 @@ extern "C" { ); pub fn SSL_get_client_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t; pub fn SSL_get_server_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t; + pub fn SSL_get0_verified_chain(ssl: *const SSL) -> *mut stack_st_X509; pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_get0_signature( diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e24c3498..0f3f9624 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1822,7 +1822,7 @@ impl SslCipherRef { } } -foreign_type! { +foreign_type_and_impl_send_sync! { type CType = ffi::SSL_SESSION; fn drop = ffi::SSL_SESSION_free; @@ -1837,9 +1837,6 @@ foreign_type! { pub struct SslSessionRef; } -unsafe impl Sync for SslSession {} -unsafe impl Send for SslSession {} - impl Clone for SslSession { fn clone(&self) -> SslSession { SslSessionRef::to_owned(self) @@ -1927,7 +1924,7 @@ impl SslSessionRef { } } -foreign_type! { +foreign_type_and_impl_send_sync! { type CType = ffi::SSL; fn drop = ffi::SSL_free; @@ -1945,9 +1942,6 @@ foreign_type! { pub struct SslRef; } -unsafe impl Sync for Ssl {} -unsafe impl Send for Ssl {} - impl fmt::Debug for Ssl { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { fmt::Debug::fmt(&**self, fmt) @@ -2254,6 +2248,30 @@ impl SslRef { } } + /// Returns the verified certificate chani of the peer, including the leaf certificate. + /// + /// If verification was not successful (i.e. [`verify_result`] does not return + /// [`X509VerifyResult::OK`]), this chain may be incomplete or invalid. + /// + /// Requires OpenSSL 1.1.0 or newer. + /// + /// This corresponds to [`SSL_get0_verified_chain`]. + /// + /// [`verify_result`]: #method.verify_result + /// [`X509VerifyResult::OK`]: ../x509/struct.X509VerifyResult.html#associatedconstant.OK + /// [`SSL_get0_verified_chain`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get0_verified_chain.html + #[cfg(ossl110)] + pub fn verified_chain(&self) -> Option<&StackRef> { + unsafe { + let ptr = ffi::SSL_get0_verified_chain(self.as_ptr()); + if ptr.is_null() { + None + } else { + Some(StackRef::from_ptr(ptr)) + } + } + } + /// Like [`SslContext::certificate`]. /// /// This corresponds to `SSL_get_certificate`. diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 4d6bc9ab..f533d9c7 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -44,11 +44,11 @@ use ffi; use foreign_types::ForeignTypeRef; use std::mem; -use {cvt, cvt_p}; use error::ErrorStack; use x509::X509; +use {cvt, cvt_p}; -foreign_type! { +foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE; fn drop = ffi::X509_STORE_free; @@ -82,9 +82,7 @@ impl X509StoreBuilderRef { /// Adds a certificate to the certificate store. // FIXME should take an &X509Ref pub fn add_cert(&mut self, cert: X509) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_STORE_add_cert(self.as_ptr(), cert.as_ptr())).map(|_| ()) - } + unsafe { cvt(ffi::X509_STORE_add_cert(self.as_ptr(), cert.as_ptr())).map(|_| ()) } } /// Load certificates from their default locations. @@ -97,7 +95,7 @@ impl X509StoreBuilderRef { } } -foreign_type! { +foreign_type_and_impl_send_sync! { type CType = ffi::X509_STORE; fn drop = ffi::X509_STORE_free;