diff options
| author | Steven Fackler <[email protected]> | 2013-12-28 17:35:38 -0700 |
|---|---|---|
| committer | Steven Fackler <[email protected]> | 2013-12-28 17:35:38 -0700 |
| commit | ec8d926e568605863f7a4c328226aa9c179577aa (patch) | |
| tree | 818810e7c8cd181ebc577dc45e16c89f925047cf | |
| parent | Prepare rustcrypto to merge into rust-openssl (diff) | |
| parent | Prepare rust-ssl to merge into rust-openssl (diff) | |
| download | rust-openssl-ec8d926e568605863f7a4c328226aa9c179577aa.tar.xz rust-openssl-ec8d926e568605863f7a4c328226aa9c179577aa.zip | |
Merge remote-tracking branches 'rustcrypto/master' and 'rust-ssl/master'
Conflicts:
.travis.yml
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | .travis.yml | 2 | ||||
| -rw-r--r-- | ssl/error.rs | 59 | ||||
| -rw-r--r-- | ssl/ffi.rs | 159 | ||||
| -rw-r--r-- | ssl/lib.rs | 559 | ||||
| -rw-r--r-- | ssl/test.rs | 164 | ||||
| -rw-r--r-- | ssl/test/cert.pem | 21 | ||||
| -rw-r--r-- | ssl/test/key.pem | 28 |
8 files changed, 994 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..9aef65b4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/.rust/ +/doc/ diff --git a/.travis.yml b/.travis.yml index 1ba08680..fae15328 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,5 +3,7 @@ before_install: - sudo apt-get update install: - sudo apt-get install rust-nightly +before_script: + - openssl s_server -accept 15418 -www -cert test/cert.pem -key test/key.pem >/dev/null & script: - make all test diff --git a/ssl/error.rs b/ssl/error.rs new file mode 100644 index 00000000..769cc768 --- /dev/null +++ b/ssl/error.rs @@ -0,0 +1,59 @@ +use std::libc::c_ulong; + +use super::ffi; + +/// An SSL error +#[deriving(ToStr)] +pub enum SslError { + /// The underlying stream has reported an EOF + StreamEof, + /// The SSL session has been closed by the other end + SslSessionClosed, + /// An error in the OpenSSL library + OpenSslErrors(~[OpensslError]) +} + +/// An error from the OpenSSL library +#[deriving(ToStr)] +pub enum OpensslError { + /// An unknown error + UnknownError { + /// The library reporting the error + library: u8, + /// The function reporting the error + function: u16, + /// The reason for the error + reason: u16 + } +} + +fn get_lib(err: c_ulong) -> u8 { + ((err >> 24) & 0xff) as u8 +} + +fn get_func(err: c_ulong) -> u16 { + ((err >> 12) & 0xfff) as u16 +} + +fn get_reason(err: c_ulong) -> u16 { + (err & 0xfff) as u16 +} + +impl SslError { + /// Creates a new `OpenSslErrors` with the current contents of the error + /// stack. + pub fn get() -> SslError { + let mut errs = ~[]; + loop { + match unsafe { ffi::ERR_get_error() } { + 0 => break, + err => errs.push(UnknownError { + library: get_lib(err), + function: get_func(err), + reason: get_reason(err) + }) + } + } + OpenSslErrors(errs) + } +} diff --git a/ssl/ffi.rs b/ssl/ffi.rs new file mode 100644 index 00000000..45192fd3 --- /dev/null +++ b/ssl/ffi.rs @@ -0,0 +1,159 @@ +#[doc(hidden)]; + +use std::libc::{c_int, c_void, c_long, c_ulong, c_char}; + +pub type SSL_CTX = c_void; +pub type SSL_METHOD = c_void; +pub type SSL = c_void; +pub type BIO = c_void; +pub type BIO_METHOD = c_void; +pub type X509_STORE_CTX = c_void; +pub type X509 = c_void; +pub type X509_NAME = c_void; +pub type CRYPTO_EX_DATA = c_void; + +pub type CRYPTO_EX_new = extern "C" fn(parent: *c_void, ptr: *c_void, + ad: *CRYPTO_EX_DATA, idx: c_int, + argl: c_long, argp: *c_void) -> c_int; +pub type CRYPTO_EX_dup = extern "C" fn(to: *CRYPTO_EX_DATA, + from: *CRYPTO_EX_DATA, from_d: *c_void, + idx: c_int, argl: c_long, argp: *c_void) + -> c_int; +pub type CRYPTO_EX_free = extern "C" fn(parent: *c_void, ptr: *c_void, + ad: *CRYPTO_EX_DATA, idx: c_int, + argl: c_long, argp: *c_void); + +pub static CRYPTO_LOCK: c_int = 1; + +pub static SSL_ERROR_NONE: c_int = 0; +pub static SSL_ERROR_SSL: c_int = 1; +pub static SSL_ERROR_WANT_READ: c_int = 2; +pub static SSL_ERROR_WANT_WRITE: c_int = 3; +pub static SSL_ERROR_WANT_X509_LOOKUP: c_int = 4; +pub static SSL_ERROR_SYSCALL: c_int = 5; +pub static SSL_ERROR_ZERO_RETURN: c_int = 6; +pub static SSL_ERROR_WANT_CONNECT: c_int = 7; +pub static SSL_ERROR_WANT_ACCEPT: c_int = 8; + +pub static SSL_VERIFY_NONE: c_int = 0; +pub static SSL_VERIFY_PEER: c_int = 1; + +pub static X509_V_OK: c_int = 0; +pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; +pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; +pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; +pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; +pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; +pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; +pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; +pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; +pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; +pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; +pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; +pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; +pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; +pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; +pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; +pub static X509_V_ERR_OUT_OF_MEM: c_int = 17; +pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; +pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; +pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; +pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; +pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; +pub static X509_V_ERR_CERT_REVOKED: c_int = 23; +pub static X509_V_ERR_INVALID_CA: c_int = 24; +pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; +pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26; +pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27; +pub static X509_V_ERR_CERT_REJECTED: c_int = 28; +pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; +pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; +pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; +pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; +pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; +pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; +pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; +pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; +pub static X509_V_ERR_INVALID_NON_CA: c_int = 37; +pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; +pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; +pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; +pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41; +pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; +pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; +pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; +pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; +pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; +pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; +pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; +pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49; +pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; +pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; +pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; +pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; +pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; + +pub static XN_FLAG_RFC2253: c_ulong = 0x1110317; +pub static XN_FLAG_ONELINE: c_ulong = 0x82031f; +pub static XN_FLAG_MULTILINE: c_ulong = 0x2a40006; + +#[link(name="ssl")] +#[link(name="crypto")] +extern "C" { + pub fn CRYPTO_num_locks() -> c_int; + pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int, + n: c_int, + file: *c_char, + line: c_int)); + + pub fn ERR_get_error() -> c_ulong; + + pub fn SSL_library_init() -> c_int; + + pub fn SSLv3_method() -> *SSL_METHOD; + pub fn TLSv1_method() -> *SSL_METHOD; + pub fn SSLv23_method() -> *SSL_METHOD; + + pub fn SSL_CTX_new(method: *SSL_METHOD) -> *SSL_CTX; + pub fn SSL_CTX_free(ctx: *SSL_CTX); + pub fn SSL_CTX_set_verify(ctx: *SSL_CTX, mode: c_int, + verify_callback: Option<extern "C" fn(c_int, *X509_STORE_CTX) -> c_int>); + pub fn SSL_CTX_load_verify_locations(ctx: *SSL_CTX, CAfile: *c_char, + CApath: *c_char) -> c_int; + pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *c_void, + new_func: Option<CRYPTO_EX_new>, + dup_func: Option<CRYPTO_EX_dup>, + free_func: Option<CRYPTO_EX_free>) + -> c_int; + pub fn SSL_CTX_set_ex_data(ctx: *SSL_CTX, idx: c_int, data: *c_void) + -> c_int; + pub fn SSL_CTX_get_ex_data(ctx: *SSL_CTX, idx: c_int) -> *c_void; + + pub fn X509_STORE_CTX_get_ex_data(ctx: *X509_STORE_CTX, idx: c_int) + -> *c_void; + pub fn X509_STORE_CTX_get_current_cert(ct: *X509_STORE_CTX) -> *X509; + pub fn X509_STORE_CTX_get_error(ctx: *X509_STORE_CTX) -> c_int; + + pub fn X509_get_subject_name(x: *X509) -> *X509_NAME; + + pub fn X509_NAME_print_ex(out: *BIO, nm: *X509_NAME, ident: c_int, + flags: c_ulong) -> c_int; + + pub fn SSL_new(ctx: *SSL_CTX) -> *SSL; + pub fn SSL_free(ssl: *SSL); + pub fn SSL_set_bio(ssl: *SSL, rbio: *BIO, wbio: *BIO); + pub fn SSL_get_rbio(ssl: *SSL) -> *BIO; + pub fn SSL_get_wbio(ssl: *SSL) -> *BIO; + pub fn SSL_connect(ssl: *SSL) -> c_int; + pub fn SSL_get_error(ssl: *SSL, ret: c_int) -> c_int; + pub fn SSL_read(ssl: *SSL, buf: *c_void, num: c_int) -> c_int; + pub fn SSL_write(ssl: *SSL, buf: *c_void, num: c_int) -> c_int; + pub fn SSL_get_ex_data_X509_STORE_CTX_idx() -> c_int; + pub fn SSL_get_SSL_CTX(ssl: *SSL) -> *SSL_CTX; + + pub fn BIO_s_mem() -> *BIO_METHOD; + pub fn BIO_new(type_: *BIO_METHOD) -> *BIO; + pub fn BIO_free_all(a: *BIO); + pub fn BIO_read(b: *BIO, buf: *c_void, len: c_int) -> c_int; + pub fn BIO_write(b: *BIO, buf: *c_void, len: c_int) -> c_int; +} diff --git a/ssl/lib.rs b/ssl/lib.rs new file mode 100644 index 00000000..8725080c --- /dev/null +++ b/ssl/lib.rs @@ -0,0 +1,559 @@ +#[feature(struct_variant, macro_rules)]; +#[crate_id="github.com/sfackler/rust-ssl"]; +#[doc(html_root_url="http://sfackler.github.io/rust-ssl/doc/")]; + +use std::cast; +use std::libc::{c_int, c_void, c_char}; +use std::ptr; +use std::task; +use std::sync::atomics::{AtomicBool, INIT_ATOMIC_BOOL, AtomicUint, + INIT_ATOMIC_UINT, Acquire, Release, SeqCst}; +use std::unstable::mutex::Mutex; +use std::io::{Stream, Reader, Writer, Decorator}; +use std::vec; + +use self::error::{SslError, SslSessionClosed, StreamEof}; + +pub mod error; + +mod ffi; + +static mut STARTED_INIT: AtomicBool = INIT_ATOMIC_BOOL; +static mut FINISHED_INIT: AtomicBool = INIT_ATOMIC_BOOL; + +static mut VERIFY_IDX: AtomicUint = INIT_ATOMIC_UINT; + +// actually a *~[Mutex] +static mut MUTEXES: AtomicUint = INIT_ATOMIC_UINT; + +fn init() { + unsafe { + if STARTED_INIT.swap(true, Acquire) { + while !FINISHED_INIT.load(Release) { + task::deschedule(); + } + return; + } + + ffi::SSL_library_init(); + let verify_idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, + None, None); + assert!(verify_idx >= 0); + VERIFY_IDX.store(verify_idx as uint, Release); + + let num_locks = ffi::CRYPTO_num_locks(); + let mutexes = ~vec::from_fn(num_locks as uint, |_| Mutex::new()); + MUTEXES.store(cast::transmute(mutexes), Release); + + ffi::CRYPTO_set_locking_callback(locking_function); + + FINISHED_INIT.store(true, Release); + } +} + +/// Determines the SSL method supported +pub enum SslMethod { + /// Only support the SSLv3 protocol + Sslv3, + /// Only support the TLSv1 protocol + Tlsv1, + /// Support the SSLv2, SSLv3 and TLSv1 protocols + Sslv23 +} + +impl SslMethod { + unsafe fn to_raw(&self) -> *ffi::SSL_METHOD { + match *self { + Sslv3 => ffi::SSLv3_method(), + Tlsv1 => ffi::TLSv1_method(), + Sslv23 => ffi::SSLv23_method() + } + } +} + +/// Determines the type of certificate verification used +pub enum SslVerifyMode { + /// Verify that the server's certificate is trusted + SslVerifyPeer = ffi::SSL_VERIFY_PEER, + /// Do not verify the server's certificate + SslVerifyNone = ffi::SSL_VERIFY_NONE +} + +extern "C" fn locking_function(mode: c_int, n: c_int, _file: *c_char, + _line: c_int) { + unsafe { + let mutexes: *mut ~[Mutex] = cast::transmute(MUTEXES.load(Acquire)); + let mutex = &mut (*mutexes)[n as uint]; + + if mode & ffi::CRYPTO_LOCK != 0 { + mutex.lock(); + } else { + mutex.unlock(); + } + } +} + +extern "C" fn raw_verify(preverify_ok: c_int, x509_ctx: *ffi::X509_STORE_CTX) + -> c_int { + unsafe { + let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); + let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let idx = VERIFY_IDX.load(Acquire) as c_int; + let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, idx); + let verify: Option<VerifyCallback> = cast::transmute(verify); + + let ctx = X509StoreContext { ctx: x509_ctx }; + + match verify { + None => preverify_ok, + Some(verify) => verify(preverify_ok != 0, &ctx) as c_int + } + } +} + +/// The signature of functions that can be used to manually verify certificates +pub type VerifyCallback = extern "Rust" fn(preverify_ok: bool, + x509_ctx: &X509StoreContext) -> bool; + +/// An SSL context object +pub struct SslContext { + priv ctx: *ffi::SSL_CTX +} + +impl Drop for SslContext { + fn drop(&mut self) { + unsafe { ffi::SSL_CTX_free(self.ctx) } + } +} + +impl SslContext { + /// Attempts to create a new SSL context. + pub fn try_new(method: SslMethod) -> Result<SslContext, SslError> { + init(); + + let ctx = unsafe { ffi::SSL_CTX_new(method.to_raw()) }; + if ctx == ptr::null() { + return Err(SslError::get()); + } + + Ok(SslContext { ctx: ctx }) + } + + /// A convenience wrapper around `try_new`. + pub fn new(method: SslMethod) -> SslContext { + match SslContext::try_new(method) { + Ok(ctx) => ctx, + Err(err) => fail!("Error creating SSL context: {:?}", err) + } + } + + /// Configures the certificate verification method for new connections. + pub fn set_verify(&mut self, mode: SslVerifyMode, + verify: Option<VerifyCallback>) { + unsafe { + let idx = VERIFY_IDX.load(SeqCst) as c_int; + ffi::SSL_CTX_set_ex_data(self.ctx, idx, + cast::transmute(verify)); + ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(raw_verify)); + } + } + + /// Specifies the file that contains trusted CA certificates. + pub fn set_CA_file(&mut self, file: &str) -> Option<SslError> { + let ret = file.with_c_str(|file| { + unsafe { + ffi::SSL_CTX_load_verify_locations(self.ctx, file, ptr::null()) + } + }); + + if ret == 0 { + Some(SslError::get()) + } else { + None + } + } +} + +pub struct X509StoreContext { + priv ctx: *ffi::X509_STORE_CTX +} + +impl X509StoreContext { + pub fn get_error(&self) -> Option<X509ValidationError> { + let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; + X509ValidationError::from_raw(err) + } + + pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> { + let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; + + if ptr.is_null() { + None + } else { + Some(X509 { ctx: self, x509: ptr }) + } + } +} + +/// A public key certificate +pub struct X509<'ctx> { + priv ctx: &'ctx X509StoreContext, + priv x509: *ffi::X509 +} + +impl<'ctx> X509<'ctx> { + pub fn subject_name<'a>(&'a self) -> X509Name<'a> { + let name = unsafe { ffi::X509_get_subject_name(self.x509) }; + X509Name { x509: self, name: name } + } +} + +pub struct X509Name<'x> { + priv x509: &'x X509<'x>, + priv name: *ffi::X509_NAME +} + +pub enum X509NameFormat { + Rfc2253 = ffi::XN_FLAG_RFC2253, + Oneline = ffi::XN_FLAG_ONELINE, + Multiline = ffi::XN_FLAG_MULTILINE +} + +macro_rules! make_validation_error( + ($ok_val:ident, $($name:ident = $val:ident,)+) => ( + pub enum X509ValidationError { + $($name,)+ + X509UnknownError(c_int) + } + + impl X509ValidationError { + #[doc(hidden)] + pub fn from_raw(err: c_int) -> Option<X509ValidationError> { + match err { + self::ffi::$ok_val => None, + $(self::ffi::$val => Some($name),)+ + err => Some(X509UnknownError(err)) + } + } + } + ) +) + +make_validation_error!(X509_V_OK, + X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, + X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, + X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, + X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, + X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, + X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, + X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, + X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, + X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, + X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, + X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, + X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, + X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, + X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, + X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, + X509OutOfMem = X509_V_ERR_OUT_OF_MEM, + X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, + X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, + X509CertRevoked = X509_V_ERR_CERT_REVOKED, + X509InvalidCA = X509_V_ERR_INVALID_CA, + X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, + X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, + X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, + X509CertRejected = X509_V_ERR_CERT_REJECTED, + X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, + X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, + X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, + X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, + X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, + X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, + X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, + X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, + X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, + X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, + X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, + X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, + X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, + X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, + X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, + X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, + X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, + X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, + X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, + X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, + X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, + X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, + X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, + X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, + X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, + X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, +) + +struct Ssl { + ssl: *ffi::SSL +} + +impl Drop for Ssl { + fn drop(&mut self) { + unsafe { ffi::SSL_free(self.ssl) } + } +} + +impl Ssl { + fn try_new(ctx: &SslContext) -> Result<Ssl, SslError> { + let ssl = unsafe { ffi::SSL_new(ctx.ctx) }; + if ssl == ptr::null() { + return Err(SslError::get()); + } + let ssl = Ssl { ssl: ssl }; + + let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; + if rbio == ptr::null() { + return Err(SslError::get()); + } + + let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; + if wbio == ptr::null() { + unsafe { ffi::BIO_free_all(rbio) } + return Err(SslError::get()); + } + + unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) } + Ok(ssl) + } + + fn get_rbio<'a>(&'a self) -> MemBioRef<'a> { + unsafe { self.wrap_bio(ffi::SSL_get_rbio(self.ssl)) } + } + + fn get_wbio<'a>(&'a self) -> MemBioRef<'a> { + unsafe { self.wrap_bio(ffi::SSL_get_wbio(self.ssl)) } + } + + fn wrap_bio<'a>(&'a self, bio: *ffi::BIO) -> MemBioRef<'a> { + assert!(bio != ptr::null()); + MemBioRef { + ssl: self, + bio: MemBio { + bio: bio, + owned: false + } + } + } + + fn connect(&self) -> c_int { + unsafe { ffi::SSL_connect(self.ssl) } + } + + fn read(&self, buf: &mut [u8]) -> c_int { + unsafe { ffi::SSL_read(self.ssl, buf.as_ptr() as *c_void, + buf.len() as c_int) } + } + + fn write(&self, buf: &[u8]) -> c_int { + unsafe { ffi::SSL_write(self.ssl, buf.as_ptr() as *c_void, + buf.len() as c_int) } + } + + fn get_error(&self, ret: c_int) -> LibSslError { + let err = unsafe { ffi::SSL_get_error(self.ssl, ret) }; + match FromPrimitive::from_int(err as int) { + Some(err) => err, + None => unreachable!() + } + } +} + +#[deriving(FromPrimitive)] +enum LibSslError { + ErrorNone = ffi::SSL_ERROR_NONE, + ErrorSsl = ffi::SSL_ERROR_SSL, + ErrorWantRead = ffi::SSL_ERROR_WANT_READ, + ErrorWantWrite = ffi::SSL_ERROR_WANT_WRITE, + ErrorWantX509Lookup = ffi::SSL_ERROR_WANT_X509_LOOKUP, + ErrorSyscall = ffi::SSL_ERROR_SYSCALL, + ErrorZeroReturn = ffi::SSL_ERROR_ZERO_RETURN, + ErrorWantConnect = ffi::SSL_ERROR_WANT_CONNECT, + ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT, +} + +struct MemBioRef<'ssl> { + ssl: &'ssl Ssl, + bio: MemBio, +} + +impl<'ssl> MemBioRef<'ssl> { + fn read(&self, buf: &mut [u8]) -> Option<uint> { + self.bio.read(buf) + } + + fn write(&self, buf: &[u8]) { + self.bio.write(buf) + } +} + +struct MemBio { + bio: *ffi::BIO, + owned: bool +} + +impl Drop for MemBio { + fn drop(&mut self) { + if self.owned { + unsafe { + ffi::BIO_free_all(self.bio); + } + } + } +} + +impl MemBio { + fn read(&self, buf: &mut [u8]) -> Option<uint> { + let ret = unsafe { + ffi::BIO_read(self.bio, buf.as_ptr() as *c_void, + buf.len() as c_int) + }; + + if ret < 0 { + None + } else { + Some(ret as uint) + } + } + + fn write(&self, buf: &[u8]) { + let ret = unsafe { + ffi::BIO_write(self.bio, buf.as_ptr() as *c_void, + buf.len() as c_int) + }; + assert_eq!(buf.len(), ret as uint); + } +} + +/// A stream wrapper which handles SSL encryption for an underlying stream. +pub struct SslStream<S> { + priv stream: S, + priv ssl: Ssl, + priv buf: ~[u8] +} + +impl<S: Stream> SslStream<S> { + /// Attempts to create a new SSL stream + pub fn try_new(ctx: &SslContext, stream: S) -> Result<SslStream<S>, + SslError> { + let ssl = match Ssl::try_new(ctx) { + Ok(ssl) => ssl, + Err(err) => return Err(err) + }; + + let mut ssl = SslStream { + stream: stream, + ssl: ssl, + // Maximum TLS record size is 16k + buf: vec::from_elem(16 * 1024, 0u8) + }; + + match ssl.in_retry_wrapper(|ssl| { ssl.connect() }) { + Ok(_) => Ok(ssl), + Err(err) => Err(err) + } + } + + /// A convenience wrapper around `try_new`. + pub fn new(ctx: &SslContext, stream: S) -> SslStream<S> { + match SslStream::try_new(ctx, stream) { + Ok(stream) => stream, + Err(err) => fail!("Error creating SSL stream: {:?}", err) + } + } + + fn in_retry_wrapper(&mut self, blk: |&Ssl| -> c_int) + -> Result<c_int, SslError> { + loop { + let ret = blk(&self.ssl); + if ret > 0 { + return Ok(ret); + } + + match self.ssl.get_error(ret) { + ErrorWantRead => { + self.flush(); + match self.stream.read(self.buf) { + Some(len) => + self.ssl.get_rbio().write(self.buf.slice_to(len)), + None => return Err(StreamEof) + } + } + ErrorWantWrite => self.flush(), + ErrorZeroReturn => return Err(SslSessionClosed), + ErrorSsl => return Err(SslError::get()), + _ => unreachable!() + } + } + } + + fn write_through(&mut self) { + loop { + match self.ssl.get_wbio().read(self.buf) { + Some(len) => self.stream.write(self.buf.slice_to(len)), + None => break + } + } + } +} + +impl<S: Stream> Reader for SslStream<S> { + fn read(&mut self, buf: &mut [u8]) -> Option<uint> { + match self.in_retry_wrapper(|ssl| { ssl.read(buf) }) { + Ok(len) => Some(len as uint), + Err(StreamEof) | Err(SslSessionClosed) => None, + _ => unreachable!() + } + } + + fn eof(&mut self) -> bool { + self.stream.eof() + } +} + +impl<S: Stream> Writer for SslStream<S> { + fn write(&mut self, buf: &[u8]) { + let mut start = 0; + while start < buf.len() { + let ret = self.in_retry_wrapper(|ssl| { + ssl.write(buf.slice_from(start)) + }); + match ret { + Ok(len) => start += len as uint, + _ => unreachable!() + } + self.write_through(); + } + } + + fn flush(&mut self) { + self.write_through(); + self.stream.flush() + } +} + +impl<S> Decorator<S> for SslStream<S> { + fn inner(self) -> S { + self.stream + } + + fn inner_ref<'a>(&'a self) -> &'a S { + &self.stream + } + + fn inner_mut_ref<'a>(&'a mut self) -> &'a mut S { + &mut self.stream + } +} diff --git a/ssl/test.rs b/ssl/test.rs new file mode 100644 index 00000000..2655fa98 --- /dev/null +++ b/ssl/test.rs @@ -0,0 +1,164 @@ +#[feature(struct_variant, macro_rules)]; + +use std::io::Writer; +use std::io::net::tcp::TcpStream; +use std::str; + +use lib::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext}; + +mod lib; + +#[test] +fn test_new_ctx() { + SslContext::new(Sslv23); +} + +#[test] +fn test_new_sslstream() { + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + SslStream::new(&SslContext::new(Sslv23), stream); +} + +#[test] +fn test_verify_untrusted() { + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, None); + match SslStream::try_new(&ctx, stream) { + Ok(_) => fail!("expected failure"), + Err(err) => println!("error {:?}", err) + } +} + +#[test] +fn test_verify_trusted() { + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, None); + match ctx.set_CA_file("test/cert.pem") { + None => {} + Some(err) => fail!("Unexpected error {:?}", err) + } + match SslStream::try_new(&ctx, stream) { + Ok(_) => (), + Err(err) => fail!("Expected success, got {:?}", err) + } +} + +#[test] +fn test_verify_untrusted_callback_override_ok() { + fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { + true + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + match SslStream::try_new(&ctx, stream) { + Ok(_) => (), + Err(err) => fail!("Expected success, got {:?}", err) + } +} + +#[test] +fn test_verify_untrusted_callback_override_bad() { + fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { + false + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + assert!(SslStream::try_new(&ctx, stream).is_err()); +} + +#[test] +fn test_verify_trusted_callback_override_ok() { + fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { + true + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + match ctx.set_CA_file("test/cert.pem") { + None => {} + Some(err) => fail!("Unexpected error {:?}", err) + } + match SslStream::try_new(&ctx, stream) { + Ok(_) => (), + Err(err) => fail!("Expected success, got {:?}", err) + } +} + +#[test] +fn test_verify_trusted_callback_override_bad() { + fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { + false + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + match ctx.set_CA_file("test/cert.pem") { + None => {} + Some(err) => fail!("Unexpected error {:?}", err) + } + assert!(SslStream::try_new(&ctx, stream).is_err()); +} + +#[test] +fn test_verify_callback_load_certs() { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { + assert!(x509_ctx.get_current_cert().is_some()); + true + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + assert!(SslStream::try_new(&ctx, stream).is_ok()); +} + +#[test] +fn test_verify_trusted_get_error_ok() { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { + assert!(x509_ctx.get_error().is_none()); + true + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + match ctx.set_CA_file("test/cert.pem") { + None => {} + Some(err) => fail!("Unexpected error {:?}", err) + } + assert!(SslStream::try_new(&ctx, stream).is_ok()); +} + +#[test] +fn test_verify_trusted_get_error_err() { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { + assert!(x509_ctx.get_error().is_some()); + false + } + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut ctx = SslContext::new(Sslv23); + ctx.set_verify(SslVerifyPeer, Some(callback)); + assert!(SslStream::try_new(&ctx, stream).is_err()); +} + +#[test] +fn test_write() { + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23), stream); + stream.write("hello".as_bytes()); + stream.flush(); + stream.write(" there".as_bytes()); + stream.flush(); +} + +#[test] +fn test_read() { + let stream = TcpStream::connect(FromStr::from_str("127.0.0.1:15418").unwrap()).unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23), stream); + stream.write("GET /\r\n\r\n".as_bytes()); + stream.flush(); + let buf = stream.read_to_end(); + print!("{}", str::from_utf8(buf)); +} diff --git a/ssl/test/cert.pem b/ssl/test/cert.pem new file mode 100644 index 00000000..a520dd24 --- /dev/null +++ b/ssl/test/cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIJAJUaA2QC829wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTMxMDIyMDUzODU5WhcNMTQxMDIyMDUzODU5WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA2E9uYoLpX4eMGz6+l+1ZdD11Y1PQjNjqSA7/nq0Q6gogPLds99a+Ca7B +2w6mWGMpCQbJTf0tOkdF6Td/gwIBNYtHuCIAiPh2Gbm6oZErVIXWwWuTWC2r7myB +0ePga5ZAE9SqsFqMEuhWikEK1+ae1CCfmbogsQSXyl4+EVN7xAwdi6yUtRL/92nn +ImKdwDBhuqzdBpBODQW/VCn0KG54CvWdwT0iqg7CvLuXQGyxM8K17SAiBtn6N38S +0jeL4D9IrBfi9PCYGpAn3jKr4oBEJVRCNvvni3Q9ikJ+GEF5nvLLVM+I98/o0vCu +Y2o7+1LiwViGONJ1BfRgdFWMjz0BfQIDAQABo1AwTjAdBgNVHQ4EFgQU509vewJT +k6qdvjT8e52gTE4+V9EwHwYDVR0jBBgwFoAU509vewJTk6qdvjT8e52gTE4+V9Ew +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAb0Sz/ixFc+pShXur1peh +J0n7sPxX29WyTN8IZ+Sl/Ks0vG6bmtO1kAudVigStdQKeBPco+c2/+BF1sL79pXf +Ao1hOWCkXVu6E/Nxl5rZlGNjkxwurKLNV5mZ6nXYkseYZH9A2ighGYQHj4YqspN2 +2+/K1DLNBZCsZF6XozhUiDysUGN/xVh6TE0gsPvL1A27Xe4mQ8vd8Mz7av4dek// +V9F+cXnVBTAqLPpEbAX+0+k1QZtOVnDGovshlRFZ8d17f0pJZ66n9k6TPriQNWV/ +RXjIOBLbXtPFL5w6MetkEBE+DsRckLT/50cf+f/y8CHv9v9iobu4LpTjx/8l0GuQ +hg== +-----END CERTIFICATE----- diff --git a/ssl/test/key.pem b/ssl/test/key.pem new file mode 100644 index 00000000..a3f80dd9 --- /dev/null +++ b/ssl/test/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYT25igulfh4wb +Pr6X7Vl0PXVjU9CM2OpIDv+erRDqCiA8t2z31r4JrsHbDqZYYykJBslN/S06R0Xp +N3+DAgE1i0e4IgCI+HYZubqhkStUhdbBa5NYLavubIHR4+BrlkAT1KqwWowS6FaK +QQrX5p7UIJ+ZuiCxBJfKXj4RU3vEDB2LrJS1Ev/3aeciYp3AMGG6rN0GkE4NBb9U +KfQobngK9Z3BPSKqDsK8u5dAbLEzwrXtICIG2fo3fxLSN4vgP0isF+L08JgakCfe +MqvigEQlVEI2++eLdD2KQn4YQXme8stUz4j3z+jS8K5jajv7UuLBWIY40nUF9GB0 +VYyPPQF9AgMBAAECggEBAJiYiH20bqA2xk8eF2SkSxvmk15r7U6/Y59L/WZaHvmM +BSvwFk5MzqmUACviDNWDtpookHCVL4fSae5ZeXnZOzMju4eZbRkzdlU1ogSCnbe1 +50dx9XMaXRUItRh1koczaqbSu0tHxVM9VneX5OdkSR3Kmezf0lourEpV66FbbI9i +1F1Q7u6TzldTuPSkQQgV/FHU9DvRPJ6HgSOyVr6Z9Ec0K6odmUXe3wX7+3PbKPtr +JIVQ0wGcc/sImgAr0uS+YbHNWM4qjFAAPteQ/+Df6usSFOkRoD3+XeZrJQQ98C3q +HHW4afaJM0YCsDwn7/E3KiY5fmXwtAHNRuUbsfReP8ECgYEA9JQICyP1N5bZ4uCc +jjTiHLcQX2dHy4dKatqWkV4F52qf4HCZ/pcvPBKNMzM4uTfkCgR+TMzW+A+escvR +8KmaSKmQHT+nUQfMoU2lpZbWSPTF8lLGx+Mf8JAMur0xcmazDB8uDFnvQg+TQY7y +cF6MMWKW3pp+3qI7wRkclXSLZG0CgYEA4mlzuzuB8e7UJ821N+zD8BBYY4EvpUIj +iparwKbM8vAZ1WZssRd+8oHroHJGbjXX4h7gvpUsVadSgs77W9T0zJ+5kJCpVAnO +nKdJkX1Zo1TaIIrRaJhiaPU4hKlnGnko3uv7SlV9PPUtcyBnXElobREmQv6eCmEf +Z7YP4+JoR1ECgYEA3RyrfO7gNYZyq3Mm9kWHGjDCY43q0W0ZcSr3LqrTKZkyuuTx +w8IImQWok9497O1Dg272hBY4ToFIljLPNQUQD5sER/0RFee4LygUlnSce86W2nHN +dk62xHRmnbiHaIbCXjYeGlqAPLf6CC3kroQ7uDYKcWs5Qatn3DYIqnF3x60CgYA/ +plWatUf6s6GA7xua9TzAKFgw4Qh79PP46hKuvjWvtkAM9hZoUqqlklCjcnzKTui5 +8ORNr7IfAkL38yhG0L9hJyYLth9kOL2U3JKaDBs/B4Oq0lu8g9pml0mkQdtyXc1X +ng+u/gmPMX3td5aXIyvwPXn8K4hScqtZhJ1C+0tFgQKBgQDtlBXw3mY3AMwT+wtx +ZiitDk7tAXj7wioCOziTFKkL01UMt4VIkNvQU7RUTcig6PBc0PxU6TZQpncOk/cP +eqQQP0TJGNzIK71EwAL5aFm9o9VoXsrwjVDZnzMr703MyU15QXO76kmxmh+rK5Qy +uldCJliojIW1UW30MXSXK96YXQ== +-----END PRIVATE KEY----- |