Support hostname verification

Closes #206

openssl-sys/src/ossl110.rs

@@ -1,25 +1,28 @@
-use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long};
+use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t};
 
+pub enum BIGNUM {}
+pub enum BIO {}
+pub enum BIO_METHOD {}
+pub enum CRYPTO_EX_DATA {}
+pub enum DH {}
+pub enum DSA {}
+pub enum EVP_CIPHER {}
+pub enum EVP_MD_CTX {}
+pub enum EVP_PKEY {}
+pub enum HMAC_CTX {}
+pub enum OPENSSL_STACK {}
+pub enum RSA {}
+pub enum SSL_CTX {}
+pub enum _STACK {}
+pub enum stack_st_ASN1_OBJECT {}
+pub enum stack_st_GENERAL_NAME {}
+pub enum stack_st_OPENSSL_STRING {}
+pub enum stack_st_void {}
 pub enum stack_st_X509 {}
 pub enum stack_st_X509_ATTRIBUTE {}
 pub enum stack_st_X509_EXTENSION {}
-pub enum stack_st_GENERAL_NAME {}
-pub enum stack_st_void {}
-pub enum _STACK {}
-pub enum BIO_METHOD {}
-pub enum RSA {}
-pub enum DSA {}
-pub enum EVP_PKEY {}
-pub enum BIO {}
-pub enum CRYPTO_EX_DATA {}
-pub enum EVP_MD_CTX {}
-pub enum EVP_CIPHER {}
-pub enum HMAC_CTX {}
-pub enum BIGNUM {}
-pub enum OPENSSL_STACK {}
-pub enum DH {}
 pub enum X509 {}
-pub enum SSL_CTX {}
+pub enum X509_VERIFY_PARAM {}
 
 pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong =                   0x00000000;
 pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong =                  0x00000000;
@@ -41,6 +44,13 @@ pub const OPENSSL_DIR: c_int = 4;
 pub const CRYPTO_EX_INDEX_SSL: c_int = 0;
 pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1;
 
+pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1;
+pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2;
+pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4;
+pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8;
+pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10;
+pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20;
+
 pub fn init() {}
 
 extern {
@@ -96,8 +106,13 @@ extern {
     pub fn SSL_CTX_get_options(ctx: *const ::SSL_CTX) -> c_ulong;
     pub fn SSL_CTX_set_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong;
     pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong;
+    pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM;
     pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME;
     pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME;
+    pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint);
+    pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM,
+                                       name: *const c_char,
+                                       namelen: size_t) -> c_int;
     pub fn DH_set0_pqg(dh: *mut ::DH,
                        p: *mut ::BIGNUM,
                        q: *mut ::BIGNUM,

openssl/src/ssl/mod.rs

@@ -22,6 +22,8 @@ use ffi;
 use init;
 use dh::DH;
 use x509::{X509StoreContext, X509FileType, X509, X509Ref};
+#[cfg(feature = "openssl-110")]
+use x509::verify::X509VerifyParamRef;
 use crypto::pkey::PKey;
 use error::ErrorStack;
 
@@ -988,6 +990,16 @@ impl<'a> SslRef<'a> {
             SslContextRef::from_ptr(ssl_ctx)
         }
     }
+
+    /// Returns the X509 verification configuration.
+    ///
+    /// Requires the `openssl-110` feature.
+    #[cfg(feature = "openssl-110")]
+    pub fn param(&mut self) -> X509VerifyParamRef<'a> {
+        unsafe {
+            X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr()))
+        }
+    }
 }
 
 pub struct Ssl(SslRef<'static>);

openssl/src/ssl/tests/mod.rs

@@ -21,9 +21,13 @@ use ssl::SslMethod::Tls;
 use ssl::{SslMethod, HandshakeError};
 use ssl::error::Error;
 use ssl::{SslContext, SslStream};
+#[cfg(feature = "openssl-110")]
+use ssl::IntoSsl;
 use x509::X509StoreContext;
 use x509::X509FileType;
 use x509::X509;
+#[cfg(feature = "openssl-110")]
+use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 use crypto::pkey::PKey;
 
 use std::net::UdpSocket;
@@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() {
     let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
     ctx.add_extra_chain_cert(&cert).unwrap();
 }
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-110")]
+fn valid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("google.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    let mut socket = SslStream::connect(ssl, s).unwrap();
+
+    socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
+    let mut result = vec![];
+    socket.read_to_end(&mut result).unwrap();
+
+    println!("{}", String::from_utf8_lossy(&result));
+    assert!(result.starts_with(b"HTTP/1.0"));
+    assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-110")]
+fn invalid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("foobar.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    assert!(SslStream::connect(ssl, s).is_err());
+}

openssl/src/x509/mod.rs

@@ -38,6 +38,9 @@ use ffi::{
 
 pub mod extension;
 
+#[cfg(feature = "openssl-110")]
+pub mod verify;
+
 use self::extension::{ExtensionType, Extension};
 
 #[cfg(test)]

openssl/src/x509/verify.rs

@@ -0,0 +1,41 @@
+use std::marker::PhantomData;
+use libc::c_uint;
+use ffi;
+
+use error::ErrorStack;
+
+bitflags! {
+    pub flags X509CheckFlags: c_uint {
+        const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
+        const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS,
+        const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS,
+        const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+            = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+        const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
+    }
+}
+
+pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>);
+
+impl<'a> X509VerifyParamRef<'a> {
+    pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> {
+        X509VerifyParamRef(ptr, PhantomData)
+    }
+
+    pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
+        unsafe {
+            ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits);
+        }
+    }
+
+    pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0,
+                                                      host.as_ptr() as *const _,
+                                                      host.len()))
+        }
+
+        Ok(())
+    }
+}