min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branches 'rustcrypto/master' and 'rust-ssl/master' 

Conflicts:
	.travis.yml
This commit is contained in:
Steven Fackler 2013-12-28 17:35:38 -07:00
parent 53e11b08f5 87da25240d
commit ec8d926e56
8 changed files with 994 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
/.rust/
/doc/

2
.travis.yml
View File

@ -3,5 +3,7 @@ before_install:
- sudo apt-get update
install:
- sudo apt-get install rust-nightly
before_script:
- openssl s_server -accept 15418 -www -cert test/cert.pem -key test/key.pem >/dev/null &
script:
- make all test

59
ssl/error.rs Normal file
View File

@ -0,0 +1,59 @@
use std::libc::c_ulong;
use super::ffi;
/// An SSL error
#[deriving(ToStr)]
pub enum SslError {
/// The underlying stream has reported an EOF
StreamEof,
/// The SSL session has been closed by the other end
SslSessionClosed,
/// An error in the OpenSSL library
OpenSslErrors(~[OpensslError])
}
/// An error from the OpenSSL library
#[deriving(ToStr)]
pub enum OpensslError {
/// An unknown error
UnknownError {
/// The library reporting the error
library: u8,
/// The function reporting the error
function: u16,
/// The reason for the error
reason: u16
}
}
fn get_lib(err: c_ulong) -> u8 {
((err >> 24) & 0xff) as u8
}
fn get_func(err: c_ulong) -> u16 {
((err >> 12) & 0xfff) as u16
}
fn get_reason(err: c_ulong) -> u16 {
(err & 0xfff) as u16
}
impl SslError {
/// Creates a new `OpenSslErrors` with the current contents of the error
/// stack.
pub fn get() -> SslError {
let mut errs = ~[];
loop {
match unsafe { ffi::ERR_get_error() } {
0 => break,
err => errs.push(UnknownError {
library: get_lib(err),
function: get_func(err),
reason: get_reason(err)
})
}
}
OpenSslErrors(errs)
}
}

159
ssl/ffi.rs Normal file
View File

@ -0,0 +1,159 @@
#[doc(hidden)];
use std::libc::{c_int, c_void, c_long, c_ulong, c_char};
pub type SSL_CTX = c_void;
pub type SSL_METHOD = c_void;
pub type SSL = c_void;
pub type BIO = c_void;
pub type BIO_METHOD = c_void;
pub type X509_STORE_CTX = c_void;
pub type X509 = c_void;
pub type X509_NAME = c_void;
pub type CRYPTO_EX_DATA = c_void;
pub type CRYPTO_EX_new = extern "C" fn(parent: *c_void, ptr: *c_void,
ad: *CRYPTO_EX_DATA, idx: c_int,
argl: c_long, argp: *c_void) -> c_int;
pub type CRYPTO_EX_dup = extern "C" fn(to: *CRYPTO_EX_DATA,
from: *CRYPTO_EX_DATA, from_d: *c_void,
idx: c_int, argl: c_long, argp: *c_void)
-> c_int;
pub type CRYPTO_EX_free = extern "C" fn(parent: *c_void, ptr: *c_void,
ad: *CRYPTO_EX_DATA, idx: c_int,
argl: c_long, argp: *c_void);
pub static CRYPTO_LOCK: c_int = 1;
pub static SSL_ERROR_NONE: c_int = 0;
pub static SSL_ERROR_SSL: c_int = 1;
pub static SSL_ERROR_WANT_READ: c_int = 2;
pub static SSL_ERROR_WANT_WRITE: c_int = 3;
pub static SSL_ERROR_WANT_X509_LOOKUP: c_int = 4;
pub static SSL_ERROR_SYSCALL: c_int = 5;
pub static SSL_ERROR_ZERO_RETURN: c_int = 6;
pub static SSL_ERROR_WANT_CONNECT: c_int = 7;
pub static SSL_ERROR_WANT_ACCEPT: c_int = 8;
pub static SSL_VERIFY_NONE: c_int = 0;
pub static SSL_VERIFY_PEER: c_int = 1;
pub static X509_V_OK: c_int = 0;
pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2;
pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3;
pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4;
pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5;
pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6;
pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7;
pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8;
pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9;
pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10;
pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11;
pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12;
pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13;
pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14;
pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15;
pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16;
pub static X509_V_ERR_OUT_OF_MEM: c_int = 17;
pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18;
pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19;
pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20;
pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21;
pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22;
pub static X509_V_ERR_CERT_REVOKED: c_int = 23;
pub static X509_V_ERR_INVALID_CA: c_int = 24;
pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25;
pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26;
pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27;
pub static X509_V_ERR_CERT_REJECTED: c_int = 28;
pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29;
pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30;
pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31;
pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32;
pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33;
pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34;
pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35;
pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36;
pub static X509_V_ERR_INVALID_NON_CA: c_int = 37;
pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38;
pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39;
pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40;
pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41;
pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42;
pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43;
pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44;
pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46;
pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47;
pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48;
pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49;
pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51;
pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52;
pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54;
pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50;
pub static XN_FLAG_RFC2253: c_ulong = 0x1110317;
pub static XN_FLAG_ONELINE: c_ulong = 0x82031f;
pub static XN_FLAG_MULTILINE: c_ulong = 0x2a40006;
#[link(name="ssl")]
#[link(name="crypto")]
extern "C" {
pub fn CRYPTO_num_locks() -> c_int;
pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int,
n: c_int,
file: *c_char,
line: c_int));
pub fn ERR_get_error() -> c_ulong;
pub fn SSL_library_init() -> c_int;
pub fn SSLv3_method() -> *SSL_METHOD;
pub fn TLSv1_method() -> *SSL_METHOD;
pub fn SSLv23_method() -> *SSL_METHOD;
pub fn SSL_CTX_new(method: *SSL_METHOD) -> *SSL_CTX;
pub fn SSL_CTX_free(ctx: *SSL_CTX);
pub fn SSL_CTX_set_verify(ctx: *SSL_CTX, mode: c_int,
verify_callback: Option<extern "C" fn(c_int, *X509_STORE_CTX) -> c_int>);
pub fn SSL_CTX_load_verify_locations(ctx: *SSL_CTX, CAfile: *c_char,
CApath: *c_char) -> c_int;
pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *c_void,
new_func: Option<CRYPTO_EX_new>,
dup_func: Option<CRYPTO_EX_dup>,
free_func: Option<CRYPTO_EX_free>)
-> c_int;
pub fn SSL_CTX_set_ex_data(ctx: *SSL_CTX, idx: c_int, data: *c_void)
-> c_int;
pub fn SSL_CTX_get_ex_data(ctx: *SSL_CTX, idx: c_int) -> *c_void;
pub fn X509_STORE_CTX_get_ex_data(ctx: *X509_STORE_CTX, idx: c_int)
-> *c_void;
pub fn X509_STORE_CTX_get_current_cert(ct: *X509_STORE_CTX) -> *X509;
pub fn X509_STORE_CTX_get_error(ctx: *X509_STORE_CTX) -> c_int;
pub fn X509_get_subject_name(x: *X509) -> *X509_NAME;
pub fn X509_NAME_print_ex(out: *BIO, nm: *X509_NAME, ident: c_int,
flags: c_ulong) -> c_int;
pub fn SSL_new(ctx: *SSL_CTX) -> *SSL;
pub fn SSL_free(ssl: *SSL);
pub fn SSL_set_bio(ssl: *SSL, rbio: *BIO, wbio: *BIO);
pub fn SSL_get_rbio(ssl: *SSL) -> *BIO;
pub fn SSL_get_wbio(ssl: *SSL) -> *BIO;
pub fn SSL_connect(ssl: *SSL) -> c_int;
pub fn SSL_get_error(ssl: *SSL, ret: c_int) -> c_int;
pub fn SSL_read(ssl: *SSL, buf: *c_void, num: c_int) -> c_int;
pub fn SSL_write(ssl: *SSL, buf: *c_void, num: c_int) -> c_int;
pub fn SSL_get_ex_data_X509_STORE_CTX_idx() -> c_int;
pub fn SSL_get_SSL_CTX(ssl: *SSL) -> *SSL_CTX;
pub fn BIO_s_mem() -> *BIO_METHOD;
pub fn BIO_new(type_: *BIO_METHOD) -> *BIO;
pub fn BIO_free_all(a: *BIO);
pub fn BIO_read(b: *BIO, buf: *c_void, len: c_int) -> c_int;
pub fn BIO_write(b: *BIO, buf: *c_void, len: c_int) -> c_int;
}

559
ssl/lib.rs Normal file
View File

@ -0,0 +1,559 @@
#[feature(struct_variant, macro_rules)];
#[crate_id="github.com/sfackler/rust-ssl"];
#[doc(html_root_url="http://sfackler.github.io/rust-ssl/doc/")];
use std::cast;
use std::libc::{c_int, c_void, c_char};
use std::ptr;
use std::task;
use std::sync::atomics::{AtomicBool, INIT_ATOMIC_BOOL, AtomicUint,
INIT_ATOMIC_UINT, Acquire, Release, SeqCst};
use std::unstable::mutex::Mutex;
use std::io::{Stream, Reader, Writer, Decorator};
use std::vec;
use self::error::{SslError, SslSessionClosed, StreamEof};
pub mod error;
mod ffi;
static mut STARTED_INIT: AtomicBool = INIT_ATOMIC_BOOL;
static mut FINISHED_INIT: AtomicBool = INIT_ATOMIC_BOOL;
static mut VERIFY_IDX: AtomicUint = INIT_ATOMIC_UINT;
// actually a *~[Mutex]
static mut MUTEXES: AtomicUint = INIT_ATOMIC_UINT;
fn init() {
unsafe {
if STARTED_INIT.swap(true, Acquire) {
while !FINISHED_INIT.load(Release) {
task::deschedule();
}
return;
}
ffi::SSL_library_init();
let verify_idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None,
None, None);
assert!(verify_idx >= 0);
VERIFY_IDX.store(verify_idx as uint, Release);
let num_locks = ffi::CRYPTO_num_locks();
let mutexes = ~vec::from_fn(num_locks as uint, |_| Mutex::new());
MUTEXES.store(cast::transmute(mutexes), Release);
ffi::CRYPTO_set_locking_callback(locking_function);
FINISHED_INIT.store(true, Release);
}
}
/// Determines the SSL method supported
pub enum SslMethod {
/// Only support the SSLv3 protocol
Sslv3,
/// Only support the TLSv1 protocol
Tlsv1,
/// Support the SSLv2, SSLv3 and TLSv1 protocols
Sslv23
}
impl SslMethod {
unsafe fn to_raw(&self) -> *ffi::SSL_METHOD {
match *self {
Sslv3 => ffi::SSLv3_method(),
Tlsv1 => ffi::TLSv1_method(),
Sslv23 => ffi::SSLv23_method()
}
}
}
/// Determines the type of certificate verification used
pub enum SslVerifyMode {
/// Verify that the server's certificate is trusted
SslVerifyPeer = ffi::SSL_VERIFY_PEER,
/// Do not verify the server's certificate
SslVerifyNone = ffi::SSL_VERIFY_NONE
}
extern "C" fn locking_function(mode: c_int, n: c_int, _file: *c_char,
_line: c_int) {
unsafe {
let mutexes: *mut ~[Mutex] = cast::transmute(MUTEXES.load(Acquire));
let mutex = &mut (*mutexes)[n as uint];
if mode & ffi::CRYPTO_LOCK != 0 {
mutex.lock();
} else {
mutex.unlock();
}
}
}
extern "C" fn raw_verify(preverify_ok: c_int, x509_ctx: *ffi::X509_STORE_CTX)
-> c_int {
unsafe {
let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx();
let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx);
let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl);
let idx = VERIFY_IDX.load(Acquire) as c_int;
let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, idx);
let verify: Option<VerifyCallback> = cast::transmute(verify);
let ctx = X509StoreContext { ctx: x509_ctx };
match verify {
None => preverify_ok,
Some(verify) => verify(preverify_ok != 0, &ctx) as c_int
}
}
}
/// The signature of functions that can be used to manually verify certificates
pub type VerifyCallback = extern "Rust" fn(preverify_ok: bool,
x509_ctx: &X509StoreContext) -> bool;
/// An SSL context object
pub struct SslContext {
priv ctx: *ffi::SSL_CTX
}
impl Drop for SslContext {
fn drop(&mut self) {
unsafe { ffi::SSL_CTX_free(self.ctx) }
}
}
impl SslContext {
/// Attempts to create a new SSL context.
pub fn try_new(method: SslMethod) -> Result<SslContext, SslError> {
init();
let ctx = unsafe { ffi::SSL_CTX_new(method.to_raw()) };
if ctx == ptr::null() {
return Err(SslError::get());
}
Ok(SslContext { ctx: ctx })
}
/// A convenience wrapper around `try_new`.
pub fn new(method: SslMethod) -> SslContext {
match SslContext::try_new(method) {
Ok(ctx) => ctx,
Err(err) => fail!("Error creating SSL context: {:?}", err)
}
}
/// Configures the certificate verification method for new connections.
pub fn set_verify(&mut self, mode: SslVerifyMode,
verify: Option<VerifyCallback>) {
unsafe {
let idx = VERIFY_IDX.load(SeqCst) as c_int;
ffi::SSL_CTX_set_ex_data(self.ctx, idx,
cast::transmute(verify));
ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(raw_verify));
}
}
/// Specifies the file that contains trusted CA certificates.
pub fn set_CA_file(&mut self, file: &str) -> Option<SslError> {
let ret = file.with_c_str(|file| {
unsafe {
ffi::SSL_CTX_load_verify_locations(self.ctx, file, ptr::null())
}
});
if ret == 0 {
Some(SslError::get())
} else {
None
}
}
}
pub struct X509StoreContext {
priv ctx: *ffi::X509_STORE_CTX
}
impl X509StoreContext {
pub fn get_error(&self) -> Option<X509ValidationError> {
let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) };
X509ValidationError::from_raw(err)
}
pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> {
let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) };
if ptr.is_null() {
None
} else {
Some(X509 { ctx: self, x509: ptr })
}
}
}
/// A public key certificate
pub struct X509<'ctx> {
priv ctx: &'ctx X509StoreContext,
priv x509: *ffi::X509
}
impl<'ctx> X509<'ctx> {
pub fn subject_name<'a>(&'a self) -> X509Name<'a> {
let name = unsafe { ffi::X509_get_subject_name(self.x509) };
X509Name { x509: self, name: name }
}
}
pub struct X509Name<'x> {
priv x509: &'x X509<'x>,
priv name: *ffi::X509_NAME
}
pub enum X509NameFormat {
Rfc2253 = ffi::XN_FLAG_RFC2253,
Oneline = ffi::XN_FLAG_ONELINE,
Multiline = ffi::XN_FLAG_MULTILINE
}
macro_rules! make_validation_error(
($ok_val:ident, $($name:ident = $val:ident,)+) => (
pub enum X509ValidationError {
$($name,)+
X509UnknownError(c_int)
}
impl X509ValidationError {
#[doc(hidden)]
pub fn from_raw(err: c_int) -> Option<X509ValidationError> {
match err {
self::ffi::$ok_val => None,
$(self::ffi::$val => Some($name),)+
err => Some(X509UnknownError(err))
}
}
}
)
)
make_validation_error!(X509_V_OK,
X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL,
X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE,
X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE,
X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID,
X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED,
X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID,
X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED,
X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
X509OutOfMem = X509_V_ERR_OUT_OF_MEM,
X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG,
X509CertRevoked = X509_V_ERR_CERT_REVOKED,
X509InvalidCA = X509_V_ERR_INVALID_CA,
X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED,
X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE,
X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED,
X509CertRejected = X509_V_ERR_CERT_REJECTED,
X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH,
X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER,
X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION,
X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN,
X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION,
X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA,
X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED,
X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE,
X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED,
X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION,
X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION,
X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY,
X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE,
X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE,
X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE,
X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION,
X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION,
X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX,
X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE,
X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX,
X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR,
X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION,
)
struct Ssl {
ssl: *ffi::SSL
}
impl Drop for Ssl {
fn drop(&mut self) {
unsafe { ffi::SSL_free(self.ssl) }
}
}
impl Ssl {
fn try_new(ctx: &SslContext) -> Result<Ssl, SslError> {
let ssl = unsafe { ffi::SSL_new(ctx.ctx) };
if ssl == ptr::null() {
return Err(SslError::get());
}
let ssl = Ssl { ssl: ssl };
let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) };
if rbio == ptr::null() {
return Err(SslError::get());
}
let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) };
if wbio == ptr::null() {
unsafe { ffi::BIO_free_all(rbio) }
return Err(SslError::get());
}
unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) }
Ok(ssl)
}
fn get_rbio<'a>(&'a self) -> MemBioRef<'a> {
unsafe { self.wrap_bio(ffi::SSL_get_rbio(self.ssl)) }
}
fn get_wbio<'a>(&'a self) -> MemBioRef<'a> {
unsafe { self.wrap_bio(ffi::SSL_get_wbio(self.ssl)) }
}
fn wrap_bio<'a>(&'a self, bio: *ffi::BIO) -> MemBioRef<'a> {
assert!(bio != ptr::null());
MemBioRef {
ssl: self,
bio: MemBio {
bio: bio,
owned: false
}
}
}
fn connect(&self) -> c_int {
unsafe { ffi::SSL_connect(self.ssl) }
}
fn read(&self, buf: &mut [u8]) -> c_int {
unsafe { ffi::SSL_read(self.ssl, buf.as_ptr() as *c_void,
buf.len() as c_int) }
}
fn write(&self, buf: &[u8]) -> c_int {
unsafe { ffi::SSL_write(self.ssl, buf.as_ptr() as *c_void,
buf.len() as c_int) }
}
fn get_error(&self, ret: c_int) -> LibSslError {
let err = unsafe { ffi::SSL_get_error(self.ssl, ret) };
match FromPrimitive::from_int(err as int) {
Some(err) => err,
None => unreachable!()
}
}
}
#[deriving(FromPrimitive)]
enum LibSslError {
ErrorNone = ffi::SSL_ERROR_NONE,
ErrorSsl = ffi::SSL_ERROR_SSL,
ErrorWantRead = ffi::SSL_ERROR_WANT_READ,
ErrorWantWrite = ffi::SSL_ERROR_WANT_WRITE,
ErrorWantX509Lookup = ffi::SSL_ERROR_WANT_X509_LOOKUP,
ErrorSyscall = ffi::SSL_ERROR_SYSCALL,
ErrorZeroReturn = ffi::SSL_ERROR_ZERO_RETURN,
ErrorWantConnect = ffi::SSL_ERROR_WANT_CONNECT,
ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT,
}
struct MemBioRef<'ssl> {
ssl: &'ssl Ssl,
bio: MemBio,
}
impl<'ssl> MemBioRef<'ssl> {
fn read(&self, buf: &mut [u8]) -> Option<uint> {
self.bio.read(buf)
}
fn write(&self, buf: &[u8]) {
self.bio.write(buf)
}
}
struct MemBio {
bio: *ffi::BIO,
owned: bool
}
impl Drop for MemBio {
fn drop(&mut self) {
if self.owned {
unsafe {
ffi::BIO_free_all(self.bio);
}
}
}
}
impl MemBio {
fn read(&self, buf: &mut [u8]) -> Option<uint> {
let ret = unsafe {
ffi::BIO_read(self.bio, buf.as_ptr() as *c_void,
buf.len() as c_int)
};
if ret < 0 {
None
} else {
Some(ret as uint)
}
}
fn write(&self, buf: &[u8]) {
let ret = unsafe {
ffi::BIO_write(self.bio, buf.as_ptr() as *c_void,
buf.len() as c_int)
};
assert_eq!(buf.len(), ret as uint);
}
}
/// A stream wrapper which handles SSL encryption for an underlying stream.
pub struct SslStream<S> {
priv stream: S,
priv ssl: Ssl,
priv buf: ~[u8]
}
impl<S: Stream> SslStream<S> {
/// Attempts to create a new SSL stream
pub fn try_new(ctx: &SslContext, stream: S) -> Result<SslStream<S>,
SslError> {
let ssl = match Ssl::try_new(ctx) {
Ok(ssl) => ssl,
Err(err) => return Err(err)
};
let mut ssl = SslStream {
stream: stream,
ssl: ssl,
// Maximum TLS record size is 16k
buf: vec::from_elem(16 * 1024, 0u8)
};
match ssl.in_retry_wrapper(|ssl| { ssl.connect() }) {
Ok(_) => Ok(ssl),
Err(err) => Err(err)
}
}
/// A convenience wrapper around `try_new`.
pub fn new(ctx: &SslContext, stream: S) -> SslStream<S> {
match SslStream::try_new(ctx, stream) {
Ok(stream) => stream,
Err(err) => fail!("Error creating SSL stream: {:?}", err)
}
}
fn in_retry_wrapper(&mut self, blk: |&Ssl| -> c_int)
-> Result<c_int, SslError> {
loop {
let ret = blk(&self.ssl);
if ret > 0 {
return Ok(ret);
}
match self.ssl.get_error(ret) {
ErrorWantRead => {
self.flush();
match self.stream.read(self.buf) {
Some(len) =>
self.ssl.get_rbio().write(self.buf.slice_to(len)),
None => return Err(StreamEof)
}
}
ErrorWantWrite => self.flush(),
ErrorZeroReturn => return Err(SslSessionClosed),
ErrorSsl => return Err(SslError::get()),
_ => unreachable!()
}
}
}
fn write_through(&mut self) {
loop {
match self.ssl.get_wbio().read(self.buf) {
Some(len) => self.stream.write(self.buf.slice_to(len)),
None => break
}
}
}
}
impl<S: Stream> Reader for SslStream<S> {
fn read(&mut self, buf: &mut [u8]) -> Option<uint> {
match self.in_retry_wrapper(|ssl| { ssl.read(buf) }) {
Ok(len) => Some(len as uint),
Err(StreamEof) | Err(SslSessionClosed) => None,
_ => unreachable!()
}
}
fn eof(&mut self) -> bool {
self.stream.eof()
}
}
impl<S: Stream> Writer for SslStream<S> {
fn write(&mut self, buf: &[u8]) {
let mut start = 0;
while start < buf.len() {
let ret = self.in_retry_wrapper(|ssl| {
ssl.write(buf.slice_from(start))
});
match ret {
Ok(len) => start += len as uint,
_ => unreachable!()
}
self.write_through();
}
}
fn flush(&mut self) {
self.write_through();
self.stream.flush()
}
}
impl<S> Decorator<S> for SslStream<S> {
fn inner(self) -> S {
self.stream
}
fn inner_ref<'a>(&'a self) -> &'a S {
&self.stream
}
fn inner_mut_ref<'a>(&'a mut self) -> &'a mut S {
&mut self.stream
}
}

164
ssl/test.rs Normal file
View File

@ -0,0 +1,164 @@
#[feature(struct_variant, macro_rules)];
use std::io::Writer;
use std::io::net::tcp::TcpStream;
use std::str;
use lib::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext};
mod lib;
#[test]
fn test_new_ctx() {
SslContext::new(Sslv23);
}
#[test]
fn test_new_sslstream() {
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
SslStream::new(&SslContext::new(Sslv23), stream);
}
#[test]
fn test_verify_untrusted() {
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, None);
match SslStream::try_new(&ctx, stream) {
Ok(_) => fail!("expected failure"),
Err(err) => println!("error {:?}", err)
}
}
#[test]
fn test_verify_trusted() {
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, None);
match ctx.set_CA_file("test/cert.pem") {
None => {}
Some(err) => fail!("Unexpected error {:?}", err)
}
match SslStream::try_new(&ctx, stream) {
Ok(_) => (),
Err(err) => fail!("Expected success, got {:?}", err)
}
}
#[test]
fn test_verify_untrusted_callback_override_ok() {
fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
true
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
match SslStream::try_new(&ctx, stream) {
Ok(_) => (),
Err(err) => fail!("Expected success, got {:?}", err)
}
}
#[test]
fn test_verify_untrusted_callback_override_bad() {
fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
false
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
assert!(SslStream::try_new(&ctx, stream).is_err());
}
#[test]
fn test_verify_trusted_callback_override_ok() {
fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
true
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
match ctx.set_CA_file("test/cert.pem") {
None => {}
Some(err) => fail!("Unexpected error {:?}", err)
}
match SslStream::try_new(&ctx, stream) {
Ok(_) => (),
Err(err) => fail!("Expected success, got {:?}", err)
}
}
#[test]
fn test_verify_trusted_callback_override_bad() {
fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool {
false
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
match ctx.set_CA_file("test/cert.pem") {
None => {}
Some(err) => fail!("Unexpected error {:?}", err)
}
assert!(SslStream::try_new(&ctx, stream).is_err());
}
#[test]
fn test_verify_callback_load_certs() {
fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
assert!(x509_ctx.get_current_cert().is_some());
true
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
assert!(SslStream::try_new(&ctx, stream).is_ok());
}
#[test]
fn test_verify_trusted_get_error_ok() {
fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
assert!(x509_ctx.get_error().is_none());
true
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
match ctx.set_CA_file("test/cert.pem") {
None => {}
Some(err) => fail!("Unexpected error {:?}", err)
}
assert!(SslStream::try_new(&ctx, stream).is_ok());
}
#[test]
fn test_verify_trusted_get_error_err() {
fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool {
assert!(x509_ctx.get_error().is_some());
false
}
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut ctx = SslContext::new(Sslv23);
ctx.set_verify(SslVerifyPeer, Some(callback));
assert!(SslStream::try_new(&ctx, stream).is_err());
}
#[test]
fn test_write() {
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut stream = SslStream::new(&SslContext::new(Sslv23), stream);
stream.write("hello".as_bytes());
stream.flush();
stream.write(" there".as_bytes());
stream.flush();
}
#[test]
fn test_read() {
let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap();
let mut stream = SslStream::new(&SslContext::new(Sslv23), stream);
stream.write("GET /\r\n\r\n".as_bytes());
stream.flush();
let buf = stream.read_to_end();
print!("{}", str::from_utf8(buf));
}

21
ssl/test/cert.pem Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJUaA2QC829wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTMxMDIyMDUzODU5WhcNMTQxMDIyMDUzODU5WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2E9uYoLpX4eMGz6+l+1ZdD11Y1PQjNjqSA7/nq0Q6gogPLds99a+Ca7B
2w6mWGMpCQbJTf0tOkdF6Td/gwIBNYtHuCIAiPh2Gbm6oZErVIXWwWuTWC2r7myB
0ePga5ZAE9SqsFqMEuhWikEK1+ae1CCfmbogsQSXyl4+EVN7xAwdi6yUtRL/92nn
ImKdwDBhuqzdBpBODQW/VCn0KG54CvWdwT0iqg7CvLuXQGyxM8K17SAiBtn6N38S
0jeL4D9IrBfi9PCYGpAn3jKr4oBEJVRCNvvni3Q9ikJ+GEF5nvLLVM+I98/o0vCu
Y2o7+1LiwViGONJ1BfRgdFWMjz0BfQIDAQABo1AwTjAdBgNVHQ4EFgQU509vewJT
k6qdvjT8e52gTE4+V9EwHwYDVR0jBBgwFoAU509vewJTk6qdvjT8e52gTE4+V9Ew
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAb0Sz/ixFc+pShXur1peh
J0n7sPxX29WyTN8IZ+Sl/Ks0vG6bmtO1kAudVigStdQKeBPco+c2/+BF1sL79pXf
Ao1hOWCkXVu6E/Nxl5rZlGNjkxwurKLNV5mZ6nXYkseYZH9A2ighGYQHj4YqspN2
2+/K1DLNBZCsZF6XozhUiDysUGN/xVh6TE0gsPvL1A27Xe4mQ8vd8Mz7av4dek//
V9F+cXnVBTAqLPpEbAX+0+k1QZtOVnDGovshlRFZ8d17f0pJZ66n9k6TPriQNWV/
RXjIOBLbXtPFL5w6MetkEBE+DsRckLT/50cf+f/y8CHv9v9iobu4LpTjx/8l0GuQ
hg==
-----END CERTIFICATE-----

28
ssl/test/key.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYT25igulfh4wb
Pr6X7Vl0PXVjU9CM2OpIDv+erRDqCiA8t2z31r4JrsHbDqZYYykJBslN/S06R0Xp
N3+DAgE1i0e4IgCI+HYZubqhkStUhdbBa5NYLavubIHR4+BrlkAT1KqwWowS6FaK
QQrX5p7UIJ+ZuiCxBJfKXj4RU3vEDB2LrJS1Ev/3aeciYp3AMGG6rN0GkE4NBb9U
KfQobngK9Z3BPSKqDsK8u5dAbLEzwrXtICIG2fo3fxLSN4vgP0isF+L08JgakCfe
MqvigEQlVEI2++eLdD2KQn4YQXme8stUz4j3z+jS8K5jajv7UuLBWIY40nUF9GB0
VYyPPQF9AgMBAAECggEBAJiYiH20bqA2xk8eF2SkSxvmk15r7U6/Y59L/WZaHvmM
BSvwFk5MzqmUACviDNWDtpookHCVL4fSae5ZeXnZOzMju4eZbRkzdlU1ogSCnbe1
50dx9XMaXRUItRh1koczaqbSu0tHxVM9VneX5OdkSR3Kmezf0lourEpV66FbbI9i
1F1Q7u6TzldTuPSkQQgV/FHU9DvRPJ6HgSOyVr6Z9Ec0K6odmUXe3wX7+3PbKPtr
JIVQ0wGcc/sImgAr0uS+YbHNWM4qjFAAPteQ/+Df6usSFOkRoD3+XeZrJQQ98C3q
HHW4afaJM0YCsDwn7/E3KiY5fmXwtAHNRuUbsfReP8ECgYEA9JQICyP1N5bZ4uCc
jjTiHLcQX2dHy4dKatqWkV4F52qf4HCZ/pcvPBKNMzM4uTfkCgR+TMzW+A+escvR
8KmaSKmQHT+nUQfMoU2lpZbWSPTF8lLGx+Mf8JAMur0xcmazDB8uDFnvQg+TQY7y
cF6MMWKW3pp+3qI7wRkclXSLZG0CgYEA4mlzuzuB8e7UJ821N+zD8BBYY4EvpUIj
iparwKbM8vAZ1WZssRd+8oHroHJGbjXX4h7gvpUsVadSgs77W9T0zJ+5kJCpVAnO
nKdJkX1Zo1TaIIrRaJhiaPU4hKlnGnko3uv7SlV9PPUtcyBnXElobREmQv6eCmEf
Z7YP4+JoR1ECgYEA3RyrfO7gNYZyq3Mm9kWHGjDCY43q0W0ZcSr3LqrTKZkyuuTx
w8IImQWok9497O1Dg272hBY4ToFIljLPNQUQD5sER/0RFee4LygUlnSce86W2nHN
dk62xHRmnbiHaIbCXjYeGlqAPLf6CC3kroQ7uDYKcWs5Qatn3DYIqnF3x60CgYA/
plWatUf6s6GA7xua9TzAKFgw4Qh79PP46hKuvjWvtkAM9hZoUqqlklCjcnzKTui5
8ORNr7IfAkL38yhG0L9hJyYLth9kOL2U3JKaDBs/B4Oq0lu8g9pml0mkQdtyXc1X
ng+u/gmPMX3td5aXIyvwPXn8K4hScqtZhJ1C+0tFgQKBgQDtlBXw3mY3AMwT+wtx
ZiitDk7tAXj7wioCOziTFKkL01UMt4VIkNvQU7RUTcig6PBc0PxU6TZQpncOk/cP
eqQQP0TJGNzIK71EwAL5aFm9o9VoXsrwjVDZnzMr703MyU15QXO76kmxmh+rK5Qy
uldCJliojIW1UW30MXSXK96YXQ==
-----END PRIVATE KEY-----