diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index de201332..300ed056 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -252,6 +252,17 @@ pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; pub const X509_V_OK: c_int = 0; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; + pub const GEN_OTHERNAME: c_int = 0; pub const GEN_EMAIL: c_int = 1; pub const GEN_DNS: c_int = 2; @@ -587,13 +598,13 @@ extern { verify_callback: Option c_int>); pub fn SSL_set_ex_data(ssl: *mut SSL, idx: c_int, data: *mut c_void) -> c_int; pub fn SSL_get_ex_data(ssl: *const SSL, idx: c_int) -> *mut c_void; - pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char; + pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER; + #[cfg(not(ossl101))] + pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char; - pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER; - pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char; pub fn SSL_CIPHER_get_bits(cipher: *const SSL_CIPHER, alg_bits: *mut c_int) -> c_int; pub fn SSL_CIPHER_description(cipher: *const SSL_CIPHER, buf: *mut c_char, size: c_int) -> *mut c_char; @@ -693,6 +704,13 @@ extern { pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int; pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int; + #[cfg(not(ossl101))] + pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); + #[cfg(not(ossl101))] + pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, + name: *const c_char, + namelen: size_t) -> c_int; + pub fn d2i_X509(a: *mut *mut X509, pp: *mut *const c_uchar, length: c_long) -> *mut X509; pub fn i2d_X509_bio(b: *mut BIO, x: *mut X509) -> c_int; pub fn i2d_X509_REQ_bio(b: *mut BIO, x: *mut X509_REQ) -> c_int; diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs index 70514cc8..86451a0c 100644 --- a/openssl-sys/src/ossl10x.rs +++ b/openssl-sys/src/ossl10x.rs @@ -2,7 +2,12 @@ use std::sync::{Mutex, MutexGuard}; use std::sync::{Once, ONCE_INIT}; use std::mem; -use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong}; +use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong, time_t}; + +#[repr(C)] +pub struct stack_st_ASN1_OBJECT { + pub stack: _STACK, +} #[repr(C)] pub struct stack_st_X509 { @@ -425,6 +430,23 @@ pub struct SRP_CTX { srp_Mask: c_ulong, } +#[repr(C)] +#[cfg(not(ossl101))] +pub struct X509_VERIFY_PARAM { + pub name: *mut c_char, + pub check_time: time_t, + pub inh_flags: c_ulong, + pub flags: c_ulong, + pub purpose: c_int, + pub trust: c_int, + pub depth: c_int, + pub policies: *mut stack_st_ASN1_OBJECT, + pub id: *mut X509_VERIFY_PARAM_ID, +} + +#[cfg(not(ossl101))] +pub enum X509_VERIFY_PARAM_ID {} + pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; #[cfg(ossl102)] diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index 5fee4045..1a7c9e00 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -1,25 +1,28 @@ -use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long}; +use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint}; +pub enum BIGNUM {} +pub enum BIO {} +pub enum BIO_METHOD {} +pub enum CRYPTO_EX_DATA {} +pub enum DH {} +pub enum DSA {} +pub enum EVP_CIPHER {} +pub enum EVP_MD_CTX {} +pub enum EVP_PKEY {} +pub enum HMAC_CTX {} +pub enum OPENSSL_STACK {} +pub enum RSA {} +pub enum SSL_CTX {} +pub enum _STACK {} +pub enum stack_st_ASN1_OBJECT {} +pub enum stack_st_GENERAL_NAME {} +pub enum stack_st_OPENSSL_STRING {} +pub enum stack_st_void {} pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} -pub enum stack_st_GENERAL_NAME {} -pub enum stack_st_void {} -pub enum _STACK {} -pub enum BIO_METHOD {} -pub enum RSA {} -pub enum DSA {} -pub enum EVP_PKEY {} -pub enum BIO {} -pub enum CRYPTO_EX_DATA {} -pub enum EVP_MD_CTX {} -pub enum EVP_CIPHER {} -pub enum HMAC_CTX {} -pub enum BIGNUM {} -pub enum OPENSSL_STACK {} -pub enum DH {} pub enum X509 {} -pub enum SSL_CTX {} +pub enum X509_VERIFY_PARAM {} pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong = 0x00000000; pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong = 0x00000000; @@ -41,6 +44,8 @@ pub const OPENSSL_DIR: c_int = 4; pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; +pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; + pub fn init() {} extern { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0bd3272b..b042d81e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; +#[cfg(feature = "openssl-102")] +use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } + + /// Returns the X509 verification configuration. + /// + /// Requires the `openssl-102` feature. + #[cfg(feature = "openssl-102")] + pub fn param(&mut self) -> X509VerifyParamRef<'a> { + unsafe { + X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) + } + } } pub struct Ssl(SslRef<'static>); diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index f86895e5..b3500105 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; +#[cfg(feature = "openssl-102")] +use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; +#[cfg(feature = "openssl-102")] +use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-102")] +fn valid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("google.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + let mut socket = SslStream::connect(ssl, s).unwrap(); + + socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); + let mut result = vec![]; + socket.read_to_end(&mut result).unwrap(); + + println!("{}", String::from_utf8_lossy(&result)); + assert!(result.starts_with(b"HTTP/1.0")); + assert!(result.ends_with(b"\r\n") || result.ends_with(b"")); +} + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-102")] +fn invalid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("foobar.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + assert!(SslStream::connect(ssl, s).is_err()); +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 086342dd..9fed94e2 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -38,6 +38,9 @@ use ffi::{ pub mod extension; +#[cfg(feature = "openssl-102")] +pub mod verify; + use self::extension::{ExtensionType, Extension}; #[cfg(test)] diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs new file mode 100644 index 00000000..0fc1df3a --- /dev/null +++ b/openssl/src/x509/verify.rs @@ -0,0 +1,42 @@ +use std::marker::PhantomData; +use libc::c_uint; +use ffi; + +use error::ErrorStack; + +bitflags! { + pub flags X509CheckFlags: c_uint { + const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, + const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, + const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, + const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, + const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, + #[cfg(feature = "openssl-110")] + const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, + } +} + +pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); + +impl<'a> X509VerifyParamRef<'a> { + pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { + X509VerifyParamRef(ptr, PhantomData) + } + + pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { + unsafe { + ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); + } + } + + pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { + unsafe { + try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, + host.as_ptr() as *const _, + host.len())) + } + + Ok(()) + } +}