Merge pull request #469 from sfackler/hostname

Support hostname verification
author: Steven Fackler <[email protected]> 2016-10-14 19:07:33 -0700
committer: GitHub <[email protected]> 2016-10-14 19:07:33 -0700
commit: ed076de2ca00e678a9586c8021b86a2bbe1bff0f (patch)
tree: 7aa7dd167c34fe0c3356e3231c358c4facdf392a
parent: Merge pull request #468 from sfackler/no-link-name (diff)
parent: Enable hostname verification on 1.0.2 (diff)
download: rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.tar.xz
rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.zip
7 files changed, 165 insertions, 19 deletions
diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index de201332..300ed056 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -252,6 +252,17 @@ pub const X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45;
 pub const X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53;
 pub const X509_V_OK: c_int = 0;
 
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT: c_uint = 0x1;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_NO_WILDCARDS: c_uint = 0x2;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: c_uint = 0x4;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS: c_uint = 0x8;
+#[cfg(not(ossl101))]
+pub const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS: c_uint = 0x10;
+
 pub const GEN_OTHERNAME: c_int = 0;
 pub const GEN_EMAIL: c_int = 1;
 pub const GEN_DNS: c_int = 2;
@@ -587,13 +598,13 @@ extern {
                           verify_callback: Option<extern fn(c_int, *mut X509_STORE_CTX) -> c_int>);
     pub fn SSL_set_ex_data(ssl: *mut SSL, idx: c_int, data: *mut c_void) -> c_int;
     pub fn SSL_get_ex_data(ssl: *const SSL, idx: c_int) -> *mut c_void;
-
     pub fn SSL_get_servername(ssl: *const SSL, name_type: c_int) -> *const c_char;
+    pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER;
+    #[cfg(not(ossl101))]
+    pub fn SSL_get0_param(ssl: *mut ::SSL) -> *mut X509_VERIFY_PARAM;
 
     pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char;
 
-    pub fn SSL_get_current_cipher(ssl: *const SSL) -> *const SSL_CIPHER;
-
     pub fn SSL_CIPHER_get_name(cipher: *const SSL_CIPHER) -> *const c_char;
     pub fn SSL_CIPHER_get_bits(cipher: *const SSL_CIPHER, alg_bits: *mut c_int) -> c_int;
     pub fn SSL_CIPHER_description(cipher: *const SSL_CIPHER, buf: *mut c_char, size: c_int) -> *mut c_char;
@@ -693,6 +704,13 @@ extern {
     pub fn X509_REQ_add_extensions(req: *mut X509_REQ, exts: *mut stack_st_X509_EXTENSION) -> c_int;
     pub fn X509_REQ_sign(x: *mut X509_REQ, pkey: *mut EVP_PKEY, md: *const EVP_MD) -> c_int;
 
+    #[cfg(not(ossl101))]
+    pub fn X509_VERIFY_PARAM_set_hostflags(param: *mut X509_VERIFY_PARAM, flags: c_uint);
+    #[cfg(not(ossl101))]
+    pub fn X509_VERIFY_PARAM_set1_host(param: *mut X509_VERIFY_PARAM,
+                                       name: *const c_char,
+                                       namelen: size_t) -> c_int;
+
     pub fn d2i_X509(a: *mut *mut X509, pp: *mut *const c_uchar, length: c_long) -> *mut X509;
     pub fn i2d_X509_bio(b: *mut BIO, x: *mut X509) -> c_int;
     pub fn i2d_X509_REQ_bio(b: *mut BIO, x: *mut X509_REQ) -> c_int;
diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs
index 70514cc8..86451a0c 100644
--- a/openssl-sys/src/ossl10x.rs
+++ b/openssl-sys/src/ossl10x.rs
@@ -2,7 +2,12 @@ use std::sync::{Mutex, MutexGuard};
 use std::sync::{Once, ONCE_INIT};
 use std::mem;
 
-use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong};
+use libc::{c_int, c_char, c_void, c_long, c_uchar, size_t, c_uint, c_ulong, time_t};
+
+#[repr(C)]
+pub struct stack_st_ASN1_OBJECT {
+    pub stack: _STACK,
+}
 
 #[repr(C)]
 pub struct stack_st_X509 {
@@ -425,6 +430,23 @@ pub struct SRP_CTX {
     srp_Mask: c_ulong,
 }
 
+#[repr(C)]
+#[cfg(not(ossl101))]
+pub struct X509_VERIFY_PARAM {
+    pub name: *mut c_char,
+    pub check_time: time_t,
+    pub inh_flags: c_ulong,
+    pub flags: c_ulong,
+    pub purpose: c_int,
+    pub trust: c_int,
+    pub depth: c_int,
+    pub policies: *mut stack_st_ASN1_OBJECT,
+    pub id: *mut X509_VERIFY_PARAM_ID,
+}
+
+#[cfg(not(ossl101))]
+pub enum X509_VERIFY_PARAM_ID {}
+
 pub const SSL_CTRL_OPTIONS: c_int = 32;
 pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
 #[cfg(ossl102)]
diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs
index 5fee4045..1a7c9e00 100644
--- a/openssl-sys/src/ossl110.rs
+++ b/openssl-sys/src/ossl110.rs
@@ -1,25 +1,28 @@
-use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long};
+use libc::{c_int, c_void, c_char, c_uchar, c_ulong, c_long, c_uint};
 
-pub enum stack_st_X509 {}
-pub enum stack_st_X509_ATTRIBUTE {}
-pub enum stack_st_X509_EXTENSION {}
-pub enum stack_st_GENERAL_NAME {}
-pub enum stack_st_void {}
-pub enum _STACK {}
-pub enum BIO_METHOD {}
-pub enum RSA {}
-pub enum DSA {}
-pub enum EVP_PKEY {}
+pub enum BIGNUM {}
 pub enum BIO {}
+pub enum BIO_METHOD {}
 pub enum CRYPTO_EX_DATA {}
-pub enum EVP_MD_CTX {}
+pub enum DH {}
+pub enum DSA {}
 pub enum EVP_CIPHER {}
+pub enum EVP_MD_CTX {}
+pub enum EVP_PKEY {}
 pub enum HMAC_CTX {}
-pub enum BIGNUM {}
 pub enum OPENSSL_STACK {}
-pub enum DH {}
-pub enum X509 {}
+pub enum RSA {}
 pub enum SSL_CTX {}
+pub enum _STACK {}
+pub enum stack_st_ASN1_OBJECT {}
+pub enum stack_st_GENERAL_NAME {}
+pub enum stack_st_OPENSSL_STRING {}
+pub enum stack_st_void {}
+pub enum stack_st_X509 {}
+pub enum stack_st_X509_ATTRIBUTE {}
+pub enum stack_st_X509_EXTENSION {}
+pub enum X509 {}
+pub enum X509_VERIFY_PARAM {}
 
 pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong =                   0x00000000;
 pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong =                  0x00000000;
@@ -41,6 +44,8 @@ pub const OPENSSL_DIR: c_int = 4;
 pub const CRYPTO_EX_INDEX_SSL: c_int = 0;
 pub const CRYPTO_EX_INDEX_SSL_CTX: c_int = 1;
 
+pub const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT: c_uint = 0x20;
+
 pub fn init() {}
 
 extern {
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 0bd3272b..b042d81e 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -22,6 +22,8 @@ use ffi;
 use init;
 use dh::DH;
 use x509::{X509StoreContext, X509FileType, X509, X509Ref};
+#[cfg(feature = "openssl-102")]
+use x509::verify::X509VerifyParamRef;
 use crypto::pkey::PKey;
 use error::ErrorStack;
 
@@ -988,6 +990,16 @@ impl<'a> SslRef<'a> {
             SslContextRef::from_ptr(ssl_ctx)
         }
     }
+
+    /// Returns the X509 verification configuration.
+    ///
+    /// Requires the `openssl-102` feature.
+    #[cfg(feature = "openssl-102")]
+    pub fn param(&mut self) -> X509VerifyParamRef<'a> {
+        unsafe {
+            X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr()))
+        }
+    }
 }
 
 pub struct Ssl(SslRef<'static>);
diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index f86895e5..b3500105 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -21,9 +21,13 @@ use ssl::SslMethod::Tls;
 use ssl::{SslMethod, HandshakeError};
 use ssl::error::Error;
 use ssl::{SslContext, SslStream};
+#[cfg(feature = "openssl-102")]
+use ssl::IntoSsl;
 use x509::X509StoreContext;
 use x509::X509FileType;
 use x509::X509;
+#[cfg(feature = "openssl-102")]
+use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 use crypto::pkey::PKey;
 
 use std::net::UdpSocket;
@@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() {
     let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
     ctx.add_extra_chain_cert(&cert).unwrap();
 }
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-102")]
+fn valid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("google.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    let mut socket = SslStream::connect(ssl, s).unwrap();
+
+    socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
+    let mut result = vec![];
+    socket.read_to_end(&mut result).unwrap();
+
+    println!("{}", String::from_utf8_lossy(&result));
+    assert!(result.starts_with(b"HTTP/1.0"));
+    assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-102")]
+fn invalid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("foobar.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    assert!(SslStream::connect(ssl, s).is_err());
+}
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 086342dd..9fed94e2 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -38,6 +38,9 @@ use ffi::{
 
 pub mod extension;
 
+#[cfg(feature = "openssl-102")]
+pub mod verify;
+
 use self::extension::{ExtensionType, Extension};
 
 #[cfg(test)]
diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs
new file mode 100644
index 00000000..0fc1df3a
--- /dev/null
+++ b/openssl/src/x509/verify.rs
@@ -0,0 +1,42 @@
+use std::marker::PhantomData;
+use libc::c_uint;
+use ffi;
+
+use error::ErrorStack;
+
+bitflags! {
+    pub flags X509CheckFlags: c_uint {
+        const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
+        const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS,
+        const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS,
+        const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+            = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+        #[cfg(feature = "openssl-110")]
+        const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
+    }
+}
+
+pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>);
+
+impl<'a> X509VerifyParamRef<'a> {
+    pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> {
+        X509VerifyParamRef(ptr, PhantomData)
+    }
+
+    pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
+        unsafe {
+            ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits);
+        }
+    }
+
+    pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0,
+                                                      host.as_ptr() as *const _,
+                                                      host.len()))
+        }
+
+        Ok(())
+    }
+}
author	Steven Fackler <[email protected]>	2016-10-14 19:07:33 -0700
committer	GitHub <[email protected]>	2016-10-14 19:07:33 -0700
commit	ed076de2ca00e678a9586c8021b86a2bbe1bff0f (patch)
tree	7aa7dd167c34fe0c3356e3231c358c4facdf392a
parent	Merge pull request #468 from sfackler/no-link-name (diff)
parent	Enable hostname verification on 1.0.2 (diff)
download	rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.tar.xz rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.zip