Merge pull request #938 from sfackler/verified-chain

Add SslRef::verified_chain
2018-05-30 07:53:35 -07:00 · 2018-05-30 07:53:35 -07:00 · a1cb6a7328
parent a523219f6c 3456add537
commit a1cb6a7328
3 changed files with 31 additions and 14 deletions
--- a/openssl-sys/src/openssl/v110.rs
+++ b/openssl-sys/src/openssl/v110.rs
@ -280,6 +280,7 @@ extern "C" {
    );
    pub fn SSL_get_client_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t;
    pub fn SSL_get_server_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t;
+    pub fn SSL_get0_verified_chain(ssl: *const SSL) -> *mut stack_st_X509;
    pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME;
    pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME;
    pub fn X509_get0_signature(
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -1822,7 +1822,7 @@ impl SslCipherRef {
    }
 }

-foreign_type! {
+foreign_type_and_impl_send_sync! {
    type CType = ffi::SSL_SESSION;
    fn drop = ffi::SSL_SESSION_free;

@ -1837,9 +1837,6 @@ foreign_type! {
    pub struct SslSessionRef;
 }

-unsafe impl Sync for SslSession {}
-unsafe impl Send for SslSession {}
-
 impl Clone for SslSession {
    fn clone(&self) -> SslSession {
        SslSessionRef::to_owned(self)
@ -1927,7 +1924,7 @@ impl SslSessionRef {
    }
 }

-foreign_type! {
+foreign_type_and_impl_send_sync! {
    type CType = ffi::SSL;
    fn drop = ffi::SSL_free;

@ -1945,9 +1942,6 @@ foreign_type! {
    pub struct SslRef;
 }

-unsafe impl Sync for Ssl {}
-unsafe impl Send for Ssl {}
-
 impl fmt::Debug for Ssl {
    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
        fmt::Debug::fmt(&**self, fmt)
@ -2254,6 +2248,30 @@ impl SslRef {
        }
    }

+    /// Returns the verified certificate chani of the peer, including the leaf certificate.
+    ///
+    /// If verification was not successful (i.e. [`verify_result`] does not return
+    /// [`X509VerifyResult::OK`]), this chain may be incomplete or invalid.
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    ///
+    /// This corresponds to [`SSL_get0_verified_chain`].
+    ///
+    /// [`verify_result`]: #method.verify_result
+    /// [`X509VerifyResult::OK`]: ../x509/struct.X509VerifyResult.html#associatedconstant.OK
+    /// [`SSL_get0_verified_chain`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get0_verified_chain.html
+    #[cfg(ossl110)]
+    pub fn verified_chain(&self) -> Option<&StackRef<X509>> {
+        unsafe {
+            let ptr = ffi::SSL_get0_verified_chain(self.as_ptr());
+            if ptr.is_null() {
+                None
+            } else {
+                Some(StackRef::from_ptr(ptr))
+            }
+        }
+    }
+
    /// Like [`SslContext::certificate`].
    ///
    /// This corresponds to `SSL_get_certificate`.
--- a/openssl/src/x509/store.rs
+++ b/openssl/src/x509/store.rs
@ -44,11 +44,11 @@ use ffi;
 use foreign_types::ForeignTypeRef;
 use std::mem;

-use {cvt, cvt_p};
 use error::ErrorStack;
 use x509::X509;
+use {cvt, cvt_p};

-foreign_type! {
+foreign_type_and_impl_send_sync! {
    type CType = ffi::X509_STORE;
    fn drop = ffi::X509_STORE_free;

@ -82,9 +82,7 @@ impl X509StoreBuilderRef {
    /// Adds a certificate to the certificate store.
    // FIXME should take an &X509Ref
    pub fn add_cert(&mut self, cert: X509) -> Result<(), ErrorStack> {
-        unsafe {
-            cvt(ffi::X509_STORE_add_cert(self.as_ptr(), cert.as_ptr())).map(|_| ())
-        }
+        unsafe { cvt(ffi::X509_STORE_add_cert(self.as_ptr(), cert.as_ptr())).map(|_| ()) }
    }

    /// Load certificates from their default locations.
@ -97,7 +95,7 @@ impl X509StoreBuilderRef {
    }
 }

-foreign_type! {
+foreign_type_and_impl_send_sync! {
    type CType = ffi::X509_STORE;
    fn drop = ffi::X509_STORE_free;