diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 07f03bc7..7aa3eddd 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -19,7 +19,7 @@ v102 = [] v110 = [] [dependencies] -bitflags = "0.9" +bitflags = "1.0" foreign-types = "0.3.1" lazy_static = "1" libc = "0.2" diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs index 97b095d0..37a33cb4 100644 --- a/openssl/src/ec.rs +++ b/openssl/src/ec.rs @@ -20,10 +20,10 @@ //! //! ``` //! use openssl::ec::{EcGroup, EcPoint}; -//! use openssl::nid; +//! use openssl::nid::Nid; //! use openssl::error::ErrorStack; -//! fn get_ec_point() -> Result< EcPoint, ErrorStack > { -//! let group = EcGroup::from_curve_name(nid::SECP224R1)?; +//! fn get_ec_point() -> Result { +//! let group = EcGroup::from_curve_name(Nid::SECP224R1)?; //! let point = EcPoint::new(&group)?; //! Ok(point) //! } @@ -38,7 +38,7 @@ use std::mem; use libc::c_int; use {cvt, cvt_n, cvt_p, init}; -use bn::{BigNumRef, BigNumContextRef}; +use bn::{BigNumContextRef, BigNumRef}; use error::ErrorStack; use nid::Nid; @@ -606,14 +606,14 @@ impl EcKey { /// ```no_run /// use openssl::bn::BigNumContext; /// use openssl::ec::*; - /// use openssl::nid; + /// use openssl::nid::Nid; /// use openssl::pkey::PKey; /// /// // get bytes from somewhere, i.e. this will not produce a valid key /// let public_key: Vec = vec![]; /// /// // create an EcKey from the binary form of a EcPoint - /// let group = EcGroup::from_curve_name(nid::SECP256K1).unwrap(); + /// let group = EcGroup::from_curve_name(Nid::SECP256K1).unwrap(); /// let mut ctx = BigNumContext::new().unwrap(); /// let point = EcPoint::from_bytes(&group, &public_key, &mut ctx).unwrap(); /// let key = EcKey::from_public_key(&group, &point); @@ -645,7 +645,6 @@ impl EcKey { private_key_from_der!(EcKey, ffi::d2i_ECPrivateKey); } - foreign_type_and_impl_send_sync! { type CType = ffi::EC_KEY; fn drop = ffi::EC_KEY_free; @@ -731,18 +730,18 @@ impl EcKeyBuilderRef { #[cfg(test)] mod test { use bn::{BigNum, BigNumContext}; - use nid; + use nid::Nid; use data_encoding::BASE64URL_NOPAD; use super::*; #[test] fn key_new_by_curve_name() { - EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); } #[test] fn generate() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); key.public_key().unwrap(); key.private_key().unwrap(); @@ -750,20 +749,20 @@ mod test { #[test] fn dup() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); key.to_owned().unwrap(); } #[test] fn point_new() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); EcPoint::new(&group).unwrap(); } #[test] fn point_bytes() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); let point = key.public_key().unwrap(); let mut ctx = BigNumContext::new().unwrap(); @@ -776,7 +775,7 @@ mod test { #[test] fn mul_generator() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); let mut ctx = BigNumContext::new().unwrap(); let mut public_key = EcPoint::new(&group).unwrap(); @@ -792,7 +791,7 @@ mod test { #[test] fn key_from_public_key() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); let mut ctx = BigNumContext::new().unwrap(); let bytes = key.public_key() @@ -810,13 +809,13 @@ mod test { #[test] fn key_from_affine_coordinates() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); - let x = BASE64URL_NOPAD.decode( - "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(), - ).unwrap(); - let y = BASE64URL_NOPAD.decode( - "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(), - ).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let x = BASE64URL_NOPAD + .decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes()) + .unwrap(); + let y = BASE64URL_NOPAD + .decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes()) + .unwrap(); let xbn = BigNum::from_slice(&x).unwrap(); let ybn = BigNum::from_slice(&y).unwrap(); @@ -834,10 +833,10 @@ mod test { #[test] fn set_private_key() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); - let d = BASE64URL_NOPAD.decode( - "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes(), - ).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let d = BASE64URL_NOPAD + .decode("870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE".as_bytes()) + .unwrap(); let dbn = BigNum::from_slice(&d).unwrap(); @@ -851,13 +850,13 @@ mod test { #[test] fn get_affine_coordinates() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); - let x = BASE64URL_NOPAD.decode( - "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes(), - ).unwrap(); - let y = BASE64URL_NOPAD.decode( - "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes(), - ).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); + let x = BASE64URL_NOPAD + .decode("MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4".as_bytes()) + .unwrap(); + let y = BASE64URL_NOPAD + .decode("4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM".as_bytes()) + .unwrap(); let xbn = BigNum::from_slice(&x).unwrap(); let ybn = BigNum::from_slice(&y).unwrap(); diff --git a/openssl/src/nid.rs b/openssl/src/nid.rs index c58747be..7c041236 100644 --- a/openssl/src/nid.rs +++ b/openssl/src/nid.rs @@ -16,9 +16,9 @@ use libc::c_int; /// To view the integer representation of a `Nid`: /// /// ``` -/// use openssl::nid; +/// use openssl::nid::Nid; /// -/// assert!(nid::AES_256_GCM.as_raw() == 901); +/// assert!(Nid::AES_256_GCM.as_raw() == 901); /// ``` /// /// # External Documentation diff --git a/openssl/src/ocsp.rs b/openssl/src/ocsp.rs index 65436a4c..37a88101 100644 --- a/openssl/src/ocsp.rs +++ b/openssl/src/ocsp.rs @@ -14,17 +14,17 @@ use x509::{X509, X509Ref}; bitflags! { pub struct Flag: c_ulong { - const FLAG_NO_CERTS = ffi::OCSP_NOCERTS; - const FLAG_NO_INTERN = ffi::OCSP_NOINTERN; - const FLAG_NO_CHAIN = ffi::OCSP_NOCHAIN; - const FLAG_NO_VERIFY = ffi::OCSP_NOVERIFY; - const FLAG_NO_EXPLICIT = ffi::OCSP_NOEXPLICIT; - const FLAG_NO_CA_SIGN = ffi::OCSP_NOCASIGN; - const FLAG_NO_DELEGATED = ffi::OCSP_NODELEGATED; - const FLAG_NO_CHECKS = ffi::OCSP_NOCHECKS; - const FLAG_TRUST_OTHER = ffi::OCSP_TRUSTOTHER; - const FLAG_RESPID_KEY = ffi::OCSP_RESPID_KEY; - const FLAG_NO_TIME = ffi::OCSP_NOTIME; + const NO_CERTS = ffi::OCSP_NOCERTS; + const NO_INTERN = ffi::OCSP_NOINTERN; + const NO_CHAIN = ffi::OCSP_NOCHAIN; + const NO_VERIFY = ffi::OCSP_NOVERIFY; + const NO_EXPLICIT = ffi::OCSP_NOEXPLICIT; + const NO_CA_SIGN = ffi::OCSP_NOCASIGN; + const NO_DELEGATED = ffi::OCSP_NODELEGATED; + const NO_CHECKS = ffi::OCSP_NOCHECKS; + const TRUST_OTHER = ffi::OCSP_TRUSTOTHER; + const RESPID_KEY = ffi::OCSP_RESPID_KEY; + const NO_TIME = ffi::OCSP_NOTIME; } } diff --git a/openssl/src/pkcs12.rs b/openssl/src/pkcs12.rs index a840490c..84401a04 100644 --- a/openssl/src/pkcs12.rs +++ b/openssl/src/pkcs12.rs @@ -190,7 +190,7 @@ mod test { use asn1::Asn1Time; use rsa::Rsa; use pkey::PKey; - use nid; + use nid::Nid; use x509::{X509, X509Name}; use x509::extension::KeyUsage; @@ -238,7 +238,7 @@ mod test { let pkey = PKey::from_rsa(rsa).unwrap(); let mut name = X509Name::builder().unwrap(); - name.append_entry_by_nid(nid::COMMONNAME, subject_name) + name.append_entry_by_nid(Nid::COMMONNAME, subject_name) .unwrap(); let name = name.build(); diff --git a/openssl/src/pkey.rs b/openssl/src/pkey.rs index 9ef7e885..5cbc2878 100644 --- a/openssl/src/pkey.rs +++ b/openssl/src/pkey.rs @@ -1,4 +1,4 @@ -use libc::{c_void, c_char, c_int, size_t}; +use libc::{c_char, c_int, c_void, size_t}; use std::ptr; use std::mem; use std::ffi::CString; @@ -10,9 +10,9 @@ use bio::MemBioSlice; use dh::Dh; use dsa::Dsa; use ec::EcKey; -use rsa::{Rsa, Padding}; +use rsa::{Padding, Rsa}; use error::ErrorStack; -use util::{CallbackState, invoke_passwd_cb, invoke_passwd_cb_old}; +use util::{invoke_passwd_cb, invoke_passwd_cb_old, CallbackState}; foreign_type_and_impl_send_sync! { type CType = ffi::EVP_PKEY; @@ -254,9 +254,7 @@ impl PKeyCtxRef { pub fn rsa_padding(&self) -> Result { let mut pad: c_int = 0; unsafe { - cvt( - ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad), - )?; + cvt(ffi::EVP_PKEY_CTX_get_rsa_padding(self.as_ptr(), &mut pad))?; }; Ok(Padding::from_raw(pad)) } @@ -270,9 +268,7 @@ impl PKeyCtxRef { pub fn derive_set_peer(&mut self, peer: &PKeyRef) -> Result<(), ErrorStack> { unsafe { - cvt( - ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()), - )?; + cvt(ffi::EVP_PKEY_derive_set_peer(self.as_ptr(), peer.as_ptr()))?; } Ok(()) } @@ -306,7 +302,7 @@ mod tests { use dsa::Dsa; use ec::{EcGroup, EcKey}; use rsa::Rsa; - use nid; + use nid::Nid; use super::*; @@ -403,7 +399,7 @@ mod tests { #[test] fn test_ec_key_accessor() { - let ec_key = EcKey::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let ec_key = EcKey::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let pkey = PKey::from_ec_key(ec_key).unwrap(); pkey.ec_key().unwrap(); assert!(pkey.rsa().is_err()); @@ -411,7 +407,7 @@ mod tests { #[test] fn test_ec_key_derive() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let ec_key = EcKey::generate(&group).unwrap(); let ec_key2 = EcKey::generate(&group).unwrap(); let pkey = PKey::from_ec_key(ec_key).unwrap(); diff --git a/openssl/src/sign.rs b/openssl/src/sign.rs index a90d1570..3155463a 100644 --- a/openssl/src/sign.rs +++ b/openssl/src/sign.rs @@ -353,7 +353,7 @@ mod test { use hash::MessageDigest; use sign::{Signer, Verifier}; use ec::{EcGroup, EcKey}; - use nid; + use nid::Nid; use rsa::{PKCS1_PADDING, Rsa}; use dsa::Dsa; use pkey::PKey; @@ -569,7 +569,7 @@ mod test { #[test] fn ec() { - let group = EcGroup::from_curve_name(nid::X9_62_PRIME256V1).unwrap(); + let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); let key = EcKey::generate(&group).unwrap(); let key = PKey::from_ec_key(key).unwrap(); diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index cd02dc18..cf199d24 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -3,8 +3,8 @@ use std::ops::{Deref, DerefMut}; use dh::Dh; use error::ErrorStack; -use ssl::{self, HandshakeError, Ssl, SslRef, SslContext, SslContextBuilder, SslMethod, SslStream, - SSL_VERIFY_PEER}; +use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions, + SslRef, SslStream, SslVerifyMode}; use pkey::PKeyRef; use version; use x509::X509Ref; @@ -29,26 +29,19 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== fn ctx(method: SslMethod) -> Result { let mut ctx = SslContextBuilder::new(method)?; - let mut opts = ssl::SSL_OP_ALL; - opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; - opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - opts |= ssl::SSL_OP_NO_TICKET; - opts |= ssl::SSL_OP_NO_COMPRESSION; - opts |= ssl::SSL_OP_NO_SSLV2; - opts |= ssl::SSL_OP_NO_SSLV3; - opts |= ssl::SSL_OP_SINGLE_DH_USE; - opts |= ssl::SSL_OP_SINGLE_ECDH_USE; - opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE; + let opts = SslOptions::ALL | SslOptions::NO_TICKET | SslOptions::NO_COMPRESSION + | SslOptions::NO_SSLV2 | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE + | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE; ctx.set_options(opts); - let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER - | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE; + let mut mode = + SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE; // This is quite a useful optimization for saving memory, but historically // caused CVEs in OpenSSL pre-1.0.1h, according to // https://bugs.python.org/issue25672 if version::number() >= 0x1000108f { - mode |= ssl::SSL_MODE_RELEASE_BUFFERS; + mode |= SslMode::RELEASE_BUFFERS; } ctx.set_mode(mode); @@ -152,7 +145,11 @@ impl SslConnector { /// Returns a structure allowing for configuration of a single TLS session before connection. pub fn configure(&self) -> Result { - Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true }) + Ssl::new(&self.0).map(|ssl| ConnectConfiguration { + ssl, + sni: true, + verify_hostname: true, + }) } } @@ -228,7 +225,9 @@ impl ConnectConfiguration { where S: Read + Write, { - self.use_server_name_indication(false).verify_hostname(false).connect("", stream) + self.use_server_name_indication(false) + .verify_hostname(false) + .connect("", stream) } } @@ -415,7 +414,7 @@ impl SslAcceptor { #[cfg(any(ossl102, ossl110))] fn setup_verify(ctx: &mut SslContextBuilder) { - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); } #[cfg(ossl101)] @@ -435,7 +434,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { #[cfg(any(ossl102, ossl110))] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let param = ssl._param_mut(); - param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS); match domain.parse() { Ok(ip) => param.set_ip(ip), Err(_) => param.set_host(domain), @@ -516,7 +515,10 @@ mod verify { // Unlike SANs, IP addresses in the subject name don't have a // different encoding. match domain.parse::() { - Ok(ip) => pattern.parse::().ok().map_or(false, |pattern| pattern == ip), + Ok(ip) => pattern + .parse::() + .ok() + .map_or(false, |pattern| pattern == ip), Err(_) => matches_dns(pattern, domain), } } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e7286163..9751688e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -121,106 +121,85 @@ mod bio; #[cfg(test)] mod tests; -// FIXME drop SSL_ prefix -// FIXME remvove flags not used in OpenSSL 1.1 bitflags! { /// Options controlling the behavior of an `SslContext`. - pub struct SslOption: c_ulong { - // FIXME remove - const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG; - // FIXME remove - const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG; - // FIXME remove - const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = - ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; - // FIXME remove - const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; - // FIXME remove - const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG; - // FIXME remove - const SSL_OP_TLS_D5_BUG = ffi::SSL_OP_TLS_D5_BUG; - // FIXME remove - const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG; - - // FIXME remove? not documented anywhere - const SSL_OP_CISCO_ANYCONNECT = ffi::SSL_OP_CISCO_ANYCONNECT; - + pub struct SslOptions: c_ulong { /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers. - const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; /// A "reasonable default" set of options which enables compatibility flags. - const SSL_OP_ALL = ffi::SSL_OP_ALL; + const ALL = ffi::SSL_OP_ALL; /// Do not query the MTU. /// /// Only affects DTLS connections. - const SSL_OP_NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU; + const NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU; /// Enables Cookie Exchange as described in [RFC 4347 Section 4.2.1]. /// /// Only affects DTLS connections. /// /// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1 - const SSL_OP_COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE; + const COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE; /// Disables the use of session tickets for session resumption. - const SSL_OP_NO_TICKET = ffi::SSL_OP_NO_TICKET; + const NO_TICKET = ffi::SSL_OP_NO_TICKET; /// Always start a new session when performing a renegotiation on the server side. - const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = + const NO_SESSION_RESUMPTION_ON_RENEGOTIATION = ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; /// Disables the use of TLS compression. - const SSL_OP_NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION; + const NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION; /// Allow legacy insecure renegotiation with servers or clients that do not support secure /// renegotiation. - const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = + const ALLOW_UNSAFE_LEGACY_RENEGOTIATION = ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; /// Creates a new key for each session when using ECDHE. /// /// This is always enabled in OpenSSL 1.1.0. - const SSL_OP_SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE; + const SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE; /// Creates a new key for each session when using DHE. /// /// This is always enabled in OpenSSL 1.1.0. - const SSL_OP_SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE; + const SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE; /// Use the server's preferences rather than the client's when selecting a cipher. /// /// This has no effect on the client side. - const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE; + const CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE; /// Disables version rollback attach detection. - const SSL_OP_TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG; + const TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG; /// Disables the use of SSLv2. - const SSL_OP_NO_SSLV2 = ffi::SSL_OP_NO_SSLv2; + const NO_SSLV2 = ffi::SSL_OP_NO_SSLv2; /// Disables the use of SSLv3. - const SSL_OP_NO_SSLV3 = ffi::SSL_OP_NO_SSLv3; + const NO_SSLV3 = ffi::SSL_OP_NO_SSLv3; /// Disables the use of TLSv1.0. - const SSL_OP_NO_TLSV1 = ffi::SSL_OP_NO_TLSv1; + const NO_TLSV1 = ffi::SSL_OP_NO_TLSv1; /// Disables the use of TLSv1.1. - const SSL_OP_NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1; + const NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1; /// Disables the use of TLSv1.2. - const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; + const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; /// Disables the use of DTLSv1.0 /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; + const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; + const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disables the use of all (D)TLS protocol versions. /// @@ -238,7 +217,7 @@ bitflags! { /// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2; /// ``` #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; + const NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; } } @@ -250,11 +229,11 @@ bitflags! { /// Normally, a write in OpenSSL will always write out all of the requested data, even if it /// requires more than one TLS record or write to the underlying stream. This option will /// cause a write to return after writing a single TLS record instead. - const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE; + const ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE; /// Disables a check that the data buffer has not moved between calls when operating in a /// nonblocking context. - const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; + const ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; /// Enables automatic retries after TLS session events such as renegotiations or heartbeats. /// @@ -265,25 +244,19 @@ bitflags! { /// Note that `SslStream::read` and `SslStream::write` will automatically retry regardless /// of the state of this option. It only affects `SslStream::ssl_read` and /// `SslStream::ssl_write`. - const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY; + const AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY; /// Disables automatic chain building when verifying a peer's certificate. /// /// TLS peers are responsible for sending the entire certificate chain from the leaf to a /// trusted root, but some will incorrectly not do so. OpenSSL will try to build the chain /// out of certificates it knows of, and this option will disable that behavior. - const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN; + const NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN; /// Release memory buffers when the session does not need them. /// /// This saves ~34 KiB of memory for idle streams. - const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS; - - // FIXME remove - #[cfg(not(libressl))] - const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME; - #[cfg(not(libressl))] - const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME; + const RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS; /// Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a /// handshake. @@ -293,7 +266,7 @@ bitflags! { /// /// Do not use this unless you know what you're doing! #[cfg(not(libressl))] - const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV; + const SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV; } } @@ -335,19 +308,19 @@ bitflags! { /// Verifies that the peer's certificate is trusted. /// /// On the server side, this will cause OpenSSL to request a certificate from the client. - const SSL_VERIFY_PEER = ::ffi::SSL_VERIFY_PEER; + const PEER = ::ffi::SSL_VERIFY_PEER; /// Disables verification of the peer's certificate. /// /// On the server side, this will cause OpenSSL to not request a certificate from the /// client. On the client side, the certificate will be checked for validity, but the /// negotiation will continue regardless of the result of that check. - const SSL_VERIFY_NONE = ::ffi::SSL_VERIFY_NONE; + const NONE = ::ffi::SSL_VERIFY_NONE; /// On the server side, abort the handshake if the client did not send a certificate. /// /// This should be paired with `SSL_VERIFY_PEER`. It has no effect on the client side. - const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + const FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT; } } @@ -900,9 +873,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set_options`]. /// /// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn set_options(&mut self, option: SslOption) -> SslOption { + pub fn set_options(&mut self, option: SslOptions) -> SslOptions { let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Returns the options used by the context. @@ -910,9 +883,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_get_options`]. /// /// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn options(&self) -> SslOption { + pub fn options(&self) -> SslOptions { let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Clears the options used by the context, returning the old set. @@ -920,9 +893,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_clear_options`]. /// /// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn clear_options(&mut self, option: SslOption) -> SslOption { + pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Set the protocols to be used during Next Protocol Negotiation (the protocols diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index ff1d1c86..d9578dec 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -19,7 +19,7 @@ use hash::MessageDigest; use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED}; use ssl; use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder, - SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP}; + SslContext, SslMethod, SslStream, SslVerifyMode, STATUS_TYPE_OCSP}; use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; @@ -131,8 +131,7 @@ macro_rules! run_test( use std::net::TcpStream; use ssl; use ssl::SslMethod; - use ssl::{SslContext, Ssl, SslStream}; - use ssl::SSL_VERIFY_PEER; + use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions}; use hash::MessageDigest; use x509::X509StoreContext; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] @@ -160,7 +159,7 @@ run_test!(new_ctx, |method, _| { run_test!(verify_untrusted, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match Ssl::new(&ctx.build()).unwrap().connect(stream) { Ok(_) => panic!("expected failure"), @@ -170,7 +169,7 @@ run_test!(verify_untrusted, |method, stream| { run_test!(verify_trusted, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -189,7 +188,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| { store.add_cert(x509).unwrap(); let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match ctx.set_verify_cert_store(store.build()) { Ok(_) => {} @@ -203,7 +202,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| { run_test!(verify_untrusted_callback_override_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true); match Ssl::new(&ctx.build()).unwrap().connect(stream) { Ok(_) => (), @@ -213,14 +212,14 @@ run_test!(verify_untrusted_callback_override_ok, |method, stream| { run_test!(verify_untrusted_callback_override_bad, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false); assert!(Ssl::new(&ctx.build()).unwrap().connect(stream).is_err()); }); run_test!(verify_trusted_callback_override_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true); match ctx.set_ca_file(&Path::new("test/cert.pem")) { Ok(_) => {} @@ -234,7 +233,7 @@ run_test!(verify_trusted_callback_override_ok, |method, stream| { run_test!(verify_trusted_callback_override_bad, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false); match ctx.set_ca_file(&Path::new("test/cert.pem")) { Ok(_) => {} @@ -245,7 +244,7 @@ run_test!(verify_trusted_callback_override_bad, |method, stream| { run_test!(verify_callback_load_certs, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.current_cert().is_some()); true }); @@ -255,7 +254,7 @@ run_test!(verify_callback_load_certs, |method, stream| { run_test!(verify_trusted_get_error_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.error().is_none()); true }); @@ -269,7 +268,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| { run_test!(verify_trusted_get_error_err, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.error().is_some()); false }); @@ -286,7 +285,7 @@ run_test!(verify_callback_data, |method, stream| { // Please update if "test/cert.pem" will ever change let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, move |_preverify_ok, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, move |_preverify_ok, x509_ctx| { let cert = x509_ctx.current_cert(); match cert { None => false, @@ -314,7 +313,7 @@ run_test!(ssl_verify_callback, |method, stream| { let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - ssl.set_verify_callback(SSL_VERIFY_PEER, move |_, x509| { + ssl.set_verify_callback(SslVerifyMode::PEER, move |_, x509| { CHECKED.store(1, Ordering::SeqCst); match x509.current_cert() { None => false, @@ -349,7 +348,7 @@ fn test_write_hits_stream() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) .unwrap(); ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) @@ -384,15 +383,15 @@ run_test!(get_ctx_options, |method, _| { run_test!(set_ctx_options, |method, _| { let mut ctx = SslContext::builder(method).unwrap(); - let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET); - assert!(opts.contains(ssl::SSL_OP_NO_TICKET)); + let opts = ctx.set_options(SslOptions::NO_TICKET); + assert!(opts.contains(SslOptions::NO_TICKET)); }); run_test!(clear_ctx_options, |method, _| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_options(ssl::SSL_OP_ALL); - let opts = ctx.clear_options(ssl::SSL_OP_ALL); - assert!(!opts.contains(ssl::SSL_OP_ALL)); + ctx.set_options(SslOptions::ALL); + let opts = ctx.clear_options(SslOptions::ALL); + assert!(!opts.contains(SslOptions::ALL)); }); #[test] @@ -481,7 +480,7 @@ fn test_state() { fn test_connect_with_unilateral_alpn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -503,7 +502,7 @@ fn test_connect_with_unilateral_alpn() { fn test_connect_with_unilateral_npn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -525,7 +524,7 @@ fn test_connect_with_unilateral_npn() { fn test_connect_with_alpn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -547,7 +546,7 @@ fn test_connect_with_alpn_successful_multiple_matching() { fn test_connect_with_npn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -570,7 +569,7 @@ fn test_connect_with_npn_successful_multiple_matching() { fn test_connect_with_alpn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -585,7 +584,6 @@ fn test_connect_with_alpn_successful_single_match() { assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap()); } - /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. @@ -594,7 +592,7 @@ fn test_connect_with_alpn_successful_single_match() { fn test_connect_with_npn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -619,7 +617,7 @@ fn test_npn_server_advertise_multiple() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) @@ -636,7 +634,7 @@ fn test_npn_server_advertise_multiple() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -662,7 +660,7 @@ fn test_alpn_server_advertise_multiple() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) @@ -679,7 +677,7 @@ fn test_alpn_server_advertise_multiple() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -705,7 +703,7 @@ fn test_alpn_server_select_none() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) @@ -722,7 +720,7 @@ fn test_alpn_server_select_none() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/2"]).unwrap(); ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap(); // Now connect to the socket and make sure the protocol negotiation works... @@ -961,7 +959,7 @@ fn refcount_ssl_context() { fn default_verify_paths() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap(); @@ -987,7 +985,7 @@ fn add_extra_chain_cert() { fn verify_valid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.param_mut() @@ -1011,7 +1009,7 @@ fn verify_valid_hostname() { fn verify_invalid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.param_mut() @@ -1081,7 +1079,7 @@ fn connector_no_hostname_can_disable_verify() { let (_s, tcp) = Server::new(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); - connector.set_verify(SSL_VERIFY_NONE); + connector.set_verify(SslVerifyMode::NONE); let connector = connector.build(); connector diff --git a/openssl/src/verify.rs b/openssl/src/verify.rs index 65315e47..4074c216 100644 --- a/openssl/src/verify.rs +++ b/openssl/src/verify.rs @@ -8,15 +8,15 @@ use error::ErrorStack; bitflags! { pub struct X509CheckFlags: c_uint { - const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; - const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; - const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; - const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; - const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; + const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; + const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; + const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; + const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; /// Requires the `v110` feature and OpenSSL 1.1.0. #[cfg(all(feature = "v110", ossl110))] - const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; } } diff --git a/openssl/src/x509/extension.rs b/openssl/src/x509/extension.rs index cbc6b806..a0b07c85 100644 --- a/openssl/src/x509/extension.rs +++ b/openssl/src/x509/extension.rs @@ -40,10 +40,10 @@ pub enum Extension { /// /// ``` /// use openssl::x509::extension::Extension::*; - /// use openssl::nid; + /// use openssl::nid::Nid; /// /// # let generator = openssl::x509::X509Generator::new(); - /// generator.add_extension(OtherNid(nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned())); + /// generator.add_extension(OtherNid(Nid::BASIC_CONSTRAINTS,"critical,CA:TRUE".to_owned())); /// ``` OtherNid(Nid, String), /// Arbitrary extensions by OID string. See `man ASN1_generate_nconf` for value syntax. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 76eeba3f..543cf7f2 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -2,20 +2,19 @@ use hex::{FromHex, ToHex}; use asn1::Asn1Time; use bn::{BigNum, MSB_MAYBE_ZERO}; -use ec::{NAMED_CURVE, EcGroup, EcKey}; +use ec::{EcGroup, EcKey, NAMED_CURVE}; use hash::MessageDigest; -use nid::X9_62_PRIME256V1; +use nid::Nid; use pkey::PKey; use rsa::Rsa; use stack::Stack; use x509::{X509, X509Generator, X509Name, X509Req}; -use x509::extension::{Extension, BasicConstraints, KeyUsage, ExtendedKeyUsage, - SubjectKeyIdentifier, AuthorityKeyIdentifier, SubjectAlternativeName}; -use ssl::{SslMethod, SslContextBuilder}; +use x509::extension::{AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, + KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier}; +use ssl::{SslContextBuilder, SslMethod}; use x509::extension::AltNameOption as SAN; use x509::extension::KeyUsageOption::{DigitalSignature, KeyEncipherment}; use x509::extension::ExtKeyUsageOption::{self, ClientAuth, ServerAuth}; -use nid; fn get_generator() -> X509Generator { X509Generator::new() @@ -28,11 +27,11 @@ fn get_generator() -> X509Generator { ServerAuth, ExtKeyUsageOption::Other("2.999.1".to_owned()), ])) - .add_extension(Extension::SubjectAltName( - vec![(SAN::DNS, "example.com".to_owned())], - )) + .add_extension(Extension::SubjectAltName(vec![ + (SAN::DNS, "example.com".to_owned()), + ])) .add_extension(Extension::OtherNid( - nid::BASIC_CONSTRAINTS, + Nid::BASIC_CONSTRAINTS, "critical,CA:TRUE".to_owned(), )) .add_extension(Extension::OtherStr( @@ -68,11 +67,11 @@ fn test_cert_gen_extension_ordering() { let pkey = pkey(); get_generator() .add_extension(Extension::OtherNid( - nid::SUBJECT_KEY_IDENTIFIER, + Nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned(), )) .add_extension(Extension::OtherNid( - nid::AUTHORITY_KEY_IDENTIFIER, + Nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned(), )) .sign(&pkey) @@ -86,11 +85,11 @@ fn test_cert_gen_extension_bad_ordering() { let pkey = pkey(); let result = get_generator() .add_extension(Extension::OtherNid( - nid::AUTHORITY_KEY_IDENTIFIER, + Nid::AUTHORITY_KEY_IDENTIFIER, "keyid:always".to_owned(), )) .add_extension(Extension::OtherNid( - nid::SUBJECT_KEY_IDENTIFIER, + Nid::SUBJECT_KEY_IDENTIFIER, "hash".to_owned(), )) .sign(&pkey); @@ -108,7 +107,7 @@ fn test_req_gen() { let req = X509Req::from_pem(&reqpem).ok().expect("Failed to load PEM"); let cn = (*req) .subject_name() - .entries_by_nid(nid::COMMONNAME) + .entries_by_nid(Nid::COMMONNAME) .next() .unwrap(); assert_eq!(0, (*req).version()); @@ -155,7 +154,7 @@ fn test_subject_read_cn() { let cert = include_bytes!("../../test/cert.pem"); let cert = X509::from_pem(cert).unwrap(); let subject = cert.subject_name(); - let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap(); + let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap(); assert_eq!(cn.data().as_slice(), b"foobar.com") } @@ -165,16 +164,16 @@ fn test_nid_values() { let cert = X509::from_pem(cert).unwrap(); let subject = cert.subject_name(); - let cn = subject.entries_by_nid(nid::COMMONNAME).next().unwrap(); + let cn = subject.entries_by_nid(Nid::COMMONNAME).next().unwrap(); assert_eq!(cn.data().as_slice(), b"example.com"); let email = subject - .entries_by_nid(nid::PKCS9_EMAILADDRESS) + .entries_by_nid(Nid::PKCS9_EMAILADDRESS) .next() .unwrap(); assert_eq!(email.data().as_slice(), b"test@example.com"); - let friendly = subject.entries_by_nid(nid::FRIENDLYNAME).next().unwrap(); + let friendly = subject.entries_by_nid(Nid::FRIENDLYNAME).next().unwrap(); assert_eq!(&**friendly.data().as_utf8().unwrap(), "Example"); } @@ -184,7 +183,7 @@ fn test_nid_uid_value() { let cert = X509::from_pem(cert).unwrap(); let subject = cert.subject_name(); - let cn = subject.entries_by_nid(nid::USERID).next().unwrap(); + let cn = subject.entries_by_nid(Nid::USERID).next().unwrap(); assert_eq!(cn.data().as_slice(), b"this is the userId"); } @@ -230,7 +229,7 @@ fn x509_builder() { let pkey = pkey(); let mut name = X509Name::builder().unwrap(); - name.append_entry_by_nid(nid::COMMONNAME, "foobar.com") + name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com") .unwrap(); let name = name.build(); @@ -289,7 +288,7 @@ fn x509_builder() { assert!(pkey.public_eq(&x509.public_key().unwrap())); let cn = x509.subject_name() - .entries_by_nid(nid::COMMONNAME) + .entries_by_nid(Nid::COMMONNAME) .next() .unwrap(); assert_eq!("foobar.com".as_bytes(), cn.data().as_slice()); @@ -300,7 +299,7 @@ fn x509_req_builder() { let pkey = pkey(); let mut name = X509Name::builder().unwrap(); - name.append_entry_by_nid(nid::COMMONNAME, "foobar.com") + name.append_entry_by_nid(Nid::COMMONNAME, "foobar.com") .unwrap(); let name = name.build(); @@ -361,7 +360,7 @@ fn issued() { #[test] fn ecdsa_cert() { - let mut group = EcGroup::from_curve_name(X9_62_PRIME256V1).unwrap(); + let mut group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(); group.set_asn1_flag(NAMED_CURVE); let key = EcKey::generate(&group).unwrap(); let key = PKey::from_ec_key(key).unwrap(); @@ -387,15 +386,15 @@ fn signature() { assert_eq!( signature.as_slice().to_hex(), "4af607b889790b43470442cfa551cdb8b6d0b0340d2958f76b9e3ef6ad4992230cead6842587f0ecad5\ - 78e6e11a221521e940187e3d6652de14e84e82f6671f097cc47932e022add3c0cb54a26bf27fa84c107\ - 4971caa6bee2e42d34a5b066c427f2d452038082b8073993399548088429de034fdd589dcfb0dd33be7\ - ebdfdf698a28d628a89568881d658151276bde333600969502c4e62e1d3470a683364dfb241f78d310a\ - 89c119297df093eb36b7fd7540224f488806780305d1e79ffc938fe2275441726522ab36d88348e6c51\ - f13dcc46b5e1cdac23c974fd5ef86aa41e91c9311655090a52333bc79687c748d833595d4c5f987508f\ - e121997410d37c" + 78e6e11a221521e940187e3d6652de14e84e82f6671f097cc47932e022add3c0cb54a26bf27fa84c107\ + 4971caa6bee2e42d34a5b066c427f2d452038082b8073993399548088429de034fdd589dcfb0dd33be7\ + ebdfdf698a28d628a89568881d658151276bde333600969502c4e62e1d3470a683364dfb241f78d310a\ + 89c119297df093eb36b7fd7540224f488806780305d1e79ffc938fe2275441726522ab36d88348e6c51\ + f13dcc46b5e1cdac23c974fd5ef86aa41e91c9311655090a52333bc79687c748d833595d4c5f987508f\ + e121997410d37c" ); let algorithm = cert.signature_algorithm(); - assert_eq!(algorithm.object().nid(), nid::SHA256WITHRSAENCRYPTION); + assert_eq!(algorithm.object().nid(), Nid::SHA256WITHRSAENCRYPTION); assert_eq!(algorithm.object().to_string(), "sha256WithRSAEncryption"); }