Merge pull request #469 from sfackler/hostname

Support hostname verification
2016-10-14 19:07:33 -07:00 · 2016-10-14 19:07:33 -07:00 · ed076de2ca
parent b2c09440f6 d976b8f595
commit ed076de2ca
7 changed files with 167 additions and 21 deletions
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@ -252,6 +252,17 @@ pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
 pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
 pub const X509_V_OK: c_int = 0;

+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10;
+
 pub const GEN_OTHERNAME: c_int = 0;
 pub const GEN_EMAIL: c_int = 1;
 pub const GEN_DNS: c_int = 2;
@ -587,13 +598,13 @@ extern {
                          verify_callback: Option<extern fn(c_int, *mut X509_STORE_CTX) -> c_int>);
    pub fn SSL_set_ex_data(ssl: *mut SSL, idx: c_int, data: *mut c_void) -> c_int;
    pub fn SSL_get_ex_data(ssl: *const SSL, idx: c_int) -> *mut c_void;
-
    pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char;
+    pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER;
+    #[cfg(not(ossl101))]
+    pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM;

    pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char;

-    pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER;
-
    pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char;
    pub fn SSL_CIPHER_get_bits(cipher: *const SSL_CIPHER, alg_bits: *mut c_int) -> c_int;
    pub fn SSL_CIPHER_description(cipher: *const SSL_CIPHER, buf: *mut c_char, size: c_int) -> *mut c_char;
@ -693,6 +704,13 @@ extern {
    pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
    pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;

+    #[cfg(not(ossl101))]
+    pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint);
+    #[cfg(not(ossl101))]
+    pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM,
+                                       name: *const c_char,
+                                       namelen: size_t) -> c_int;
+
    pub fn d2i_X509(a: *mut *mut X509, pp: *mut *const c_uchar, length: c_long) -> *mut X509;
    pub fn i2d_X509_bio(b: *mut BIO, x: *mut X509) -> c_int;
    pub fn i2d_X509_REQ_bio(b: *mut BIO, x: *mut X509_REQ) -> c_int;
--- a/openssl-sys/src/ossl10x.rs
+++ b/openssl-sys/src/ossl10x.rs
@ -2,7 +2,12 @@ use std::sync::{Mutex, MutexGuard};
 use std::sync::{Once, ONCE_INIT};
 use std::mem;

-use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong};
+use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong, time_t};
+
+#[repr(C)]
+pub struct stack_st_ASN1_OBJECT {
+    pub stack: _STACK,
+}

 #[repr(C)]
 pub struct stack_st_X509 {
@ -425,6 +430,23 @@ pub struct SRP_CTX {
    srp_Mask: c_ulong,
 }

+#[repr(C)]
+#[cfg(not(ossl101))]
+pub struct X509_VERIFY_PARAM {
+    pub name: *mut c_char,
+    pub check_time: time_t,
+    pub inh_flags: c_ulong,
+    pub flags: c_ulong,
+    pub purpose: c_int,
+    pub trust: c_int,
+    pub depth: c_int,
+    pub policies: *mut stack_st_ASN1_OBJECT,
+    pub id: *mut X509_VERIFY_PARAM_ID,
+}
+
+#[cfg(not(ossl101))]
+pub enum X509_VERIFY_PARAM_ID {}
+
 pub const SSL_CTRL_OPTIONS: c_int = 32;
 pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
 #[cfg(ossl102)]
--- a/openssl-sys/src/ossl110.rs
+++ b/openssl-sys/src/ossl110.rs
@ -1,25 +1,28 @@
-use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long};
+use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint};

+pub enum BIGNUM {}
+pub enum BIO {}
+pub enum BIO_METHOD {}
+pub enum CRYPTO_EX_DATA {}
+pub enum DH {}
+pub enum DSA {}
+pub enum EVP_CIPHER {}
+pub enum EVP_MD_CTX {}
+pub enum EVP_PKEY {}
+pub enum HMAC_CTX {}
+pub enum OPENSSL_STACK {}
+pub enum RSA {}
+pub enum SSL_CTX {}
+pub enum _STACK {}
+pub enum stack_st_ASN1_OBJECT {}
+pub enum stack_st_GENERAL_NAME {}
+pub enum stack_st_OPENSSL_STRING {}
+pub enum stack_st_void {}
 pub enum stack_st_X509 {}
 pub enum stack_st_X509_ATTRIBUTE {}
 pub enum stack_st_X509_EXTENSION {}
-pub enum stack_st_GENERAL_NAME {}
-pub enum stack_st_void {}
-pub enum _STACK {}
-pub enum BIO_METHOD {}
-pub enum RSA {}
-pub enum DSA {}
-pub enum EVP_PKEY {}
-pub enum BIO {}
-pub enum CRYPTO_EX_DATA {}
-pub enum EVP_MD_CTX {}
-pub enum EVP_CIPHER {}
-pub enum HMAC_CTX {}
-pub enum BIGNUM {}
-pub enum OPENSSL_STACK {}
-pub enum DH {}
 pub enum X509 {}
-pub enum SSL_CTX {}
+pub enum X509_VERIFY_PARAM {}

 pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong =                   0x00000000;
 pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong =                  0x00000000;
@ -41,6 +44,8 @@ pub const OPENSSL_DIR: c_int = 4;
 pub const CRYPTO_EX_INDEX_SSL: c_int = 0;
 pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1;

+pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20;
+
 pub fn init() {}

 extern {
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -22,6 +22,8 @@ use ffi;
 use init;
 use dh::DH;
 use x509::{X509StoreContext, X509FileType, X509, X509Ref};
+#[cfg(feature = "openssl-102")]
+use x509::verify::X509VerifyParamRef;
 use crypto::pkey::PKey;
 use error::ErrorStack;

@ -988,6 +990,16 @@ impl<'a> SslRef<'a> {
            SslContextRef::from_ptr(ssl_ctx)
        }
    }
+
+    /// Returns the X509 verification configuration.
+    ///
+    /// Requires the `openssl-102` feature.
+    #[cfg(feature = "openssl-102")]
+    pub fn param(&mut self) -> X509VerifyParamRef<'a> {
+        unsafe {
+            X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr()))
+        }
+    }
 }

 pub struct Ssl(SslRef<'static>);
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@ -21,9 +21,13 @@ use ssl::SslMethod::Tls;
 use ssl::{SslMethod, HandshakeError};
 use ssl::error::Error;
 use ssl::{SslContext, SslStream};
+#[cfg(feature = "openssl-102")]
+use ssl::IntoSsl;
 use x509::X509StoreContext;
 use x509::X509FileType;
 use x509::X509;
+#[cfg(feature = "openssl-102")]
+use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 use crypto::pkey::PKey;

 use std::net::UdpSocket;
@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() {
    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
    ctx.add_extra_chain_cert(&cert).unwrap();
 }
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-102")]
+fn valid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("google.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    let mut socket = SslStream::connect(ssl, s).unwrap();
+
+    socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
+    let mut result = vec![];
+    socket.read_to_end(&mut result).unwrap();
+
+    println!("{}", String::from_utf8_lossy(&result));
+    assert!(result.starts_with(b"HTTP/1.0"));
+    assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-102")]
+fn invalid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("foobar.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    assert!(SslStream::connect(ssl, s).is_err());
+}
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@ -38,6 +38,9 @@ use ffi::{

 pub mod extension;

+#[cfg(feature = "openssl-102")]
+pub mod verify;
+
 use self::extension::{ExtensionType, Extension};

 #[cfg(test)]
--- a/openssl/src/x509/verify.rs
+++ b/openssl/src/x509/verify.rs
@ -0,0 +1,42 @@
+use std::marker::PhantomData;
+use libc::c_uint;
+use ffi;
+
+use error::ErrorStack;
+
+bitflags! {
+    pub flags X509CheckFlags: c_uint {
+        const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
+        const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS,
+        const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS,
+        const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+            = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+        #[cfg(feature = "openssl-110")]
+        const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
+    }
+}
+
+pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>);
+
+impl<'a> X509VerifyParamRef<'a> {
+    pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> {
+        X509VerifyParamRef(ptr, PhantomData)
+    }
+
+    pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
+        unsafe {
+            ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits);
+        }
+    }
+
+    pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0,
+                                                      host.as_ptr() as *const _,
+                                                      host.len()))
+        }
+
+        Ok(())
+    }
+}