min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change SslVerifyMode to bitflags and add SSL_VERIFY_FAIL_IF_NO_PEER_CERT 

SslVerifyMode was changed to bitflags to allow for bitwise operations
like (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT).
This commit is contained in:
Manuel Schölling 2015-03-12 14:40:20 +01:00
parent 4606687829
commit b42202b858
3 changed files with 25 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openssl-sys/src/lib.rs
View File

@ -143,6 +143,7 @@ pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
pub const SSL_ERROR_ZERO_RETURN: c_int = 6; pub const SSL_ERROR_ZERO_RETURN: c_int = 6;
pub const SSL_VERIFY_NONE: c_int = 0; pub const SSL_VERIFY_NONE: c_int = 0;
pub const SSL_VERIFY_PEER: c_int = 1; pub const SSL_VERIFY_PEER: c_int = 1;
pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;
pub const TLSEXT_NAMETYPE_host_name: c_long = 0; pub const TLSEXT_NAMETYPE_host_name: c_long = 0;

21
openssl/src/ssl/mod.rs
View File

@ -115,13 +115,16 @@ impl SslMethod {
} }
/// Determines the type of certificate verification used /// Determines the type of certificate verification used
#[derive(Copy, Clone, Debug)] bitflags! {
#[repr(i32)] flags SslVerifyMode: i32 {
pub enum SslVerifyMode { /// Verify that the server's certificate is trusted
/// Verify that the server's certificate is trusted const SSL_VERIFY_PEER = ffi::SSL_VERIFY_PEER,
SslVerifyPeer = ffi::SSL_VERIFY_PEER, /// Do not verify the server's certificate
/// Do not verify the server's certificate const SSL_VERIFY_NONE = ffi::SSL_VERIFY_NONE,
SslVerifyNone = ffi::SSL_VERIFY_NONE /// Terminate handshake if client did not return a certificate.
/// Use together with SSL_VERIFY_PEER.
const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
}
} }
lazy_static! { lazy_static! {
@ -346,7 +349,7 @@ impl SslContext {
mem::transmute(verify)); mem::transmute(verify));
let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =
raw_verify; raw_verify;
ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f)); ffi::SSL_CTX_set_verify(*self.ctx, mode.bits as c_int, Some(f));
} }
} }
@ -366,7 +369,7 @@ impl SslContext {
mem::transmute(data)); mem::transmute(data));
let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =
raw_verify_with_data::<T>; raw_verify_with_data::<T>;
ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f)); ffi::SSL_CTX_set_verify(*self.ctx, mode.bits as c_int, Some(f));
} }
} }

23
openssl/src/ssl/tests.rs
View File

@ -12,10 +12,11 @@ use crypto::hash::Type::{SHA256};
use ssl; use ssl;
use ssl::SslMethod::Sslv23; use ssl::SslMethod::Sslv23;
use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::{SslContext, SslStream, VerifyCallback};
use ssl::SslVerifyMode::SslVerifyPeer; use ssl::SSL_VERIFY_PEER;
use x509::X509StoreContext; use x509::X509StoreContext;
#[cfg(feature = "npn")] #[cfg(feature = "npn")]
use x509::X509FileType; use x509::X509FileType;
use x509::{X509StoreContext};
#[test] #[test]
fn test_new_ctx() { fn test_new_ctx() {
@ -32,7 +33,7 @@ fn test_new_sslstream() {
fn test_verify_untrusted() { fn test_verify_untrusted() {
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None); ctx.set_verify(SSL_VERIFY_PEER, None);
match SslStream::new(&ctx, stream) { match SslStream::new(&ctx, stream) {
Ok(_) => panic!("expected failure"), Ok(_) => panic!("expected failure"),
Err(err) => println!("error {:?}", err) Err(err) => println!("error {:?}", err)
@ -43,7 +44,7 @@ fn test_verify_untrusted() {
fn test_verify_trusted() { fn test_verify_trusted() {
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, None); ctx.set_verify(SSL_VERIFY_PEER, None);
match ctx.set_CA_file(&Path::new("test/cert.pem")) { match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {} None => {}
Some(err) => panic!("Unexpected error {:?}", err) Some(err) => panic!("Unexpected error {:?}", err)
@ -61,7 +62,7 @@ fn test_verify_untrusted_callback_override_ok() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match SslStream::new(&ctx, stream) { match SslStream::new(&ctx, stream) {
Ok(_) => (), Ok(_) => (),
Err(err) => panic!("Expected success, got {:?}", err) Err(err) => panic!("Expected success, got {:?}", err)
@ -75,7 +76,7 @@ fn test_verify_untrusted_callback_override_bad() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_err()); assert!(SslStream::new(&ctx, stream).is_err());
} }
@ -86,7 +87,7 @@ fn test_verify_trusted_callback_override_ok() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) { match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {} None => {}
Some(err) => panic!("Unexpected error {:?}", err) Some(err) => panic!("Unexpected error {:?}", err)
@ -104,7 +105,7 @@ fn test_verify_trusted_callback_override_bad() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) { match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {} None => {}
Some(err) => panic!("Unexpected error {:?}", err) Some(err) => panic!("Unexpected error {:?}", err)
@ -120,7 +121,7 @@ fn test_verify_callback_load_certs() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_ok()); assert!(SslStream::new(&ctx, stream).is_ok());
} }
@ -132,7 +133,7 @@ fn test_verify_trusted_get_error_ok() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
match ctx.set_CA_file(&Path::new("test/cert.pem")) { match ctx.set_CA_file(&Path::new("test/cert.pem")) {
None => {} None => {}
Some(err) => panic!("Unexpected error {:?}", err) Some(err) => panic!("Unexpected error {:?}", err)
@ -148,7 +149,7 @@ fn test_verify_trusted_get_error_err() {
} }
let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let stream = TcpStream::connect("127.0.0.1:15418").unwrap();
let mut ctx = SslContext::new(Sslv23).unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap();
ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback)); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));
assert!(SslStream::new(&ctx, stream).is_err()); assert!(SslStream::new(&ctx, stream).is_err());
} }
@ -173,7 +174,7 @@ fn test_verify_callback_data() {
// Please update if "test/cert.pem" will ever change // Please update if "test/cert.pem" will ever change
let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c"; let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c";
let node_id = node_hash_str.from_hex().unwrap(); let node_id = node_hash_str.from_hex().unwrap();
ctx.set_verify_with_data(SslVerifyPeer, callback, node_id); ctx.set_verify_with_data(SSL_VERIFY_PEER, callback, node_id);
ctx.set_verify_depth(1); ctx.set_verify_depth(1);
match SslStream::new(&ctx, stream) { match SslStream::new(&ctx, stream) {