From af51b263b17faaa3e7cb0ecc5c305b858faea64c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 14 Oct 2016 17:39:31 -0700 Subject: [PATCH 1/2] Support hostname verification Closes #206 --- openssl-sys/src/ossl110.rs | 49 +++++++++++++++++++++++------------- openssl/src/ssl/mod.rs | 12 +++++++++ openssl/src/ssl/tests/mod.rs | 44 ++++++++++++++++++++++++++++++++ openssl/src/x509/mod.rs | 3 +++ openssl/src/x509/verify.rs | 41 ++++++++++++++++++++++++++++++ 5 files changed, 132 insertions(+), 17 deletions(-) create mode 100644 openssl/src/x509/verify.rs diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index 5fee4045..20cd0940 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -1,25 +1,28 @@ -use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long}; +use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t}; +pub enum BIGNUM {} +pub enum BIO {} +pub enum BIO_METHOD {} +pub enum CRYPTO_EX_DATA {} +pub enum DH {} +pub enum DSA {} +pub enum EVP_CIPHER {} +pub enum EVP_MD_CTX {} +pub enum EVP_PKEY {} +pub enum HMAC_CTX {} +pub enum OPENSSL_STACK {} +pub enum RSA {} +pub enum SSL_CTX {} +pub enum _STACK {} +pub enum stack_st_ASN1_OBJECT {} +pub enum stack_st_GENERAL_NAME {} +pub enum stack_st_OPENSSL_STRING {} +pub enum stack_st_void {} pub enum stack_st_X509 {} pub enum stack_st_X509_ATTRIBUTE {} pub enum stack_st_X509_EXTENSION {} -pub enum stack_st_GENERAL_NAME {} -pub enum stack_st_void {} -pub enum _STACK {} -pub enum BIO_METHOD {} -pub enum RSA {} -pub enum DSA {} -pub enum EVP_PKEY {} -pub enum BIO {} -pub enum CRYPTO_EX_DATA {} -pub enum EVP_MD_CTX {} -pub enum EVP_CIPHER {} -pub enum HMAC_CTX {} -pub enum BIGNUM {} -pub enum OPENSSL_STACK {} -pub enum DH {} pub enum X509 {} -pub enum SSL_CTX {} +pub enum X509_VERIFY_PARAM {} pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong = 0x00000000; pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong = 0x00000000; @@ -41,6 +44,13 @@ pub const OPENSSL_DIR: c_int = 4; pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; +pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; +pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; +pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; +pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; +pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; +pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; + pub fn init() {} extern { @@ -96,8 +106,13 @@ extern { pub fn SSL_CTX_get_options(ctx: *const ::SSL_CTX) -> c_ulong; pub fn SSL_CTX_set_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; + pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME; + pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); + pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, + name: *const c_char, + namelen: size_t) -> c_int; pub fn DH_set0_pqg(dh: *mut ::DH, p: *mut ::BIGNUM, q: *mut ::BIGNUM, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0bd3272b..a3c35f3a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; +#[cfg(feature = "openssl-110")] +use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } + + /// Returns the X509 verification configuration. + /// + /// Requires the `openssl-110` feature. + #[cfg(feature = "openssl-110")] + pub fn param(&mut self) -> X509VerifyParamRef<'a> { + unsafe { + X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) + } + } } pub struct Ssl(SslRef<'static>); diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index f86895e5..6dba713f 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; +#[cfg(feature = "openssl-110")] +use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; +#[cfg(feature = "openssl-110")] +use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-110")] +fn valid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("google.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + let mut socket = SslStream::connect(ssl, s).unwrap(); + + socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); + let mut result = vec![]; + socket.read_to_end(&mut result).unwrap(); + + println!("{}", String::from_utf8_lossy(&result)); + assert!(result.starts_with(b"HTTP/1.0")); + assert!(result.ends_with(b"\r\n") || result.ends_with(b"")); +} + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-110")] +fn invalid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("foobar.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + assert!(SslStream::connect(ssl, s).is_err()); +} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 086342dd..5b65e866 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -38,6 +38,9 @@ use ffi::{ pub mod extension; +#[cfg(feature = "openssl-110")] +pub mod verify; + use self::extension::{ExtensionType, Extension}; #[cfg(test)] diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs new file mode 100644 index 00000000..683836e8 --- /dev/null +++ b/openssl/src/x509/verify.rs @@ -0,0 +1,41 @@ +use std::marker::PhantomData; +use libc::c_uint; +use ffi; + +use error::ErrorStack; + +bitflags! { + pub flags X509CheckFlags: c_uint { + const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, + const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, + const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, + const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, + const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, + const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, + } +} + +pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); + +impl<'a> X509VerifyParamRef<'a> { + pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { + X509VerifyParamRef(ptr, PhantomData) + } + + pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { + unsafe { + ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); + } + } + + pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { + unsafe { + try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, + host.as_ptr() as *const _, + host.len())) + } + + Ok(()) + } +} From d976b8f59558f57561bd37b037955b47a328902f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 14 Oct 2016 18:04:31 -0700 Subject: [PATCH 2/2] Enable hostname verification on 1.0.2 --- openssl-sys/src/lib.rs | 24 +++++++++++++++++++++--- openssl-sys/src/ossl10x.rs | 24 +++++++++++++++++++++++- openssl-sys/src/ossl110.rs | 12 +----------- openssl/src/ssl/mod.rs | 6 +++--- openssl/src/ssl/tests/mod.rs | 8 ++++---- openssl/src/x509/mod.rs | 2 +- openssl/src/x509/verify.rs | 1 + 7 files changed, 54 insertions(+), 23 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index de201332..300ed056 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -252,6 +252,17 @@ pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; pub const X509_V_OK: c_int = 0; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; +#[cfg(not(ossl101))] +pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; + pub const GEN_OTHERNAME: c_int = 0; pub const GEN_EMAIL: c_int = 1; pub const GEN_DNS: c_int = 2; @@ -587,13 +598,13 @@ extern { verify_callback: Option c_int>); pub fn SSL_set_ex_data(ssl: *mut SSL, idx: c_int, data: *mut c_void) -> c_int; pub fn SSL_get_ex_data(ssl: *const SSL, idx: c_int) -> *mut c_void; - pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char; + pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER; + #[cfg(not(ossl101))] + pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char; - pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER; - pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char; pub fn SSL_CIPHER_get_bits(cipher: *const SSL_CIPHER, alg_bits: *mut c_int) -> c_int; pub fn SSL_CIPHER_description(cipher: *const SSL_CIPHER, buf: *mut c_char, size: c_int) -> *mut c_char; @@ -693,6 +704,13 @@ extern { pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int; pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int; + #[cfg(not(ossl101))] + pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); + #[cfg(not(ossl101))] + pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, + name: *const c_char, + namelen: size_t) -> c_int; + pub fn d2i_X509(a: *mut *mut X509, pp: *mut *const c_uchar, length: c_long) -> *mut X509; pub fn i2d_X509_bio(b: *mut BIO, x: *mut X509) -> c_int; pub fn i2d_X509_REQ_bio(b: *mut BIO, x: *mut X509_REQ) -> c_int; diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs index 70514cc8..86451a0c 100644 --- a/openssl-sys/src/ossl10x.rs +++ b/openssl-sys/src/ossl10x.rs @@ -2,7 +2,12 @@ use std::sync::{Mutex, MutexGuard}; use std::sync::{Once, ONCE_INIT}; use std::mem; -use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong}; +use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong, time_t}; + +#[repr(C)] +pub struct stack_st_ASN1_OBJECT { + pub stack: _STACK, +} #[repr(C)] pub struct stack_st_X509 { @@ -425,6 +430,23 @@ pub struct SRP_CTX { srp_Mask: c_ulong, } +#[repr(C)] +#[cfg(not(ossl101))] +pub struct X509_VERIFY_PARAM { + pub name: *mut c_char, + pub check_time: time_t, + pub inh_flags: c_ulong, + pub flags: c_ulong, + pub purpose: c_int, + pub trust: c_int, + pub depth: c_int, + pub policies: *mut stack_st_ASN1_OBJECT, + pub id: *mut X509_VERIFY_PARAM_ID, +} + +#[cfg(not(ossl101))] +pub enum X509_VERIFY_PARAM_ID {} + pub const SSL_CTRL_OPTIONS: c_int = 32; pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; #[cfg(ossl102)] diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index 20cd0940..1a7c9e00 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -1,4 +1,4 @@ -use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint, size_t}; +use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint}; pub enum BIGNUM {} pub enum BIO {} @@ -44,11 +44,6 @@ pub const OPENSSL_DIR: c_int = 4; pub const CRYPTO_EX_INDEX_SSL: c_int = 0; pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1; -pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1; -pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2; -pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4; -pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8; -pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10; pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20; pub fn init() {} @@ -106,13 +101,8 @@ extern { pub fn SSL_CTX_get_options(ctx: *const ::SSL_CTX) -> c_ulong; pub fn SSL_CTX_set_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; pub fn SSL_CTX_clear_options(ctx: *mut ::SSL_CTX, op: c_ulong) -> c_ulong; - pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM; pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME; pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME; - pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint); - pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM, - name: *const c_char, - namelen: size_t) -> c_int; pub fn DH_set0_pqg(dh: *mut ::DH, p: *mut ::BIGNUM, q: *mut ::BIGNUM, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index a3c35f3a..b042d81e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,7 +22,7 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; @@ -993,8 +993,8 @@ impl<'a> SslRef<'a> { /// Returns the X509 verification configuration. /// - /// Requires the `openssl-110` feature. - #[cfg(feature = "openssl-110")] + /// Requires the `openssl-102` feature. + #[cfg(feature = "openssl-102")] pub fn param(&mut self) -> X509VerifyParamRef<'a> { unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 6dba713f..b3500105 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -21,12 +21,12 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; @@ -1049,7 +1049,7 @@ fn add_extra_chain_cert() { #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] fn valid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -1073,7 +1073,7 @@ fn valid_hostname() { #[test] #[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] fn invalid_hostname() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.set_default_verify_paths().unwrap(); diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5b65e866..9fed94e2 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -38,7 +38,7 @@ use ffi::{ pub mod extension; -#[cfg(feature = "openssl-110")] +#[cfg(feature = "openssl-102")] pub mod verify; use self::extension::{ExtensionType, Extension}; diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 683836e8..0fc1df3a 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -12,6 +12,7 @@ bitflags! { const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, + #[cfg(feature = "openssl-110")] const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, } }