diff options
| author | Steven Fackler <[email protected]> | 2017-12-25 20:24:24 -0800 |
|---|---|---|
| committer | GitHub <[email protected]> | 2017-12-25 20:24:24 -0800 |
| commit | 90d8a799fe331d4ec4a9c12e86d1d8f4e32c6f6e (patch) | |
| tree | 2f7496f93e3cb67b09b5cc58d085f3fc5accde3b /openssl/src/ssl | |
| parent | Merge pull request #795 from sfackler/host-overhaul (diff) | |
| parent | Tweak default ssl options (diff) | |
| download | rust-openssl-90d8a799fe331d4ec4a9c12e86d1d8f4e32c6f6e.tar.xz rust-openssl-90d8a799fe331d4ec4a9c12e86d1d8f4e32c6f6e.zip | |
Merge pull request #796 from sfackler/assoc-consts
Associated consts
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/connector.rs | 54 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 115 | ||||
| -rw-r--r-- | openssl/src/ssl/tests/mod.rs | 138 |
3 files changed, 141 insertions, 166 deletions
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index cd02dc18..dc65ad5e 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -3,8 +3,8 @@ use std::ops::{Deref, DerefMut}; use dh::Dh; use error::ErrorStack; -use ssl::{self, HandshakeError, Ssl, SslRef, SslContext, SslContextBuilder, SslMethod, SslStream, - SSL_VERIFY_PEER}; +use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions, + SslRef, SslStream, SslVerifyMode}; use pkey::PKeyRef; use version; use x509::X509Ref; @@ -29,26 +29,21 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { let mut ctx = SslContextBuilder::new(method)?; - let mut opts = ssl::SSL_OP_ALL; - opts &= !ssl::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; - opts &= !ssl::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - opts |= ssl::SSL_OP_NO_TICKET; - opts |= ssl::SSL_OP_NO_COMPRESSION; - opts |= ssl::SSL_OP_NO_SSLV2; - opts |= ssl::SSL_OP_NO_SSLV3; - opts |= ssl::SSL_OP_SINGLE_DH_USE; - opts |= ssl::SSL_OP_SINGLE_ECDH_USE; - opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE; + let mut opts = SslOptions::ALL | SslOptions::NO_COMPRESSION | SslOptions::NO_SSLV2 + | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE + | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE; + opts &= !SslOptions::DONT_INSERT_EMPTY_FRAGMENTS; + ctx.set_options(opts); - let mut mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER - | ssl::SSL_MODE_ENABLE_PARTIAL_WRITE; + let mut mode = + SslMode::AUTO_RETRY | SslMode::ACCEPT_MOVING_WRITE_BUFFER | SslMode::ENABLE_PARTIAL_WRITE; // This is quite a useful optimization for saving memory, but historically // caused CVEs in OpenSSL pre-1.0.1h, according to // https://bugs.python.org/issue25672 if version::number() >= 0x1000108f { - mode |= ssl::SSL_MODE_RELEASE_BUFFERS; + mode |= SslMode::RELEASE_BUFFERS; } ctx.set_mode(mode); @@ -152,7 +147,11 @@ impl SslConnector { /// Returns a structure allowing for configuration of a single TLS session before connection. pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> { - Ssl::new(&self.0).map(|ssl| ConnectConfiguration { ssl, sni: true, verify_hostname: true }) + Ssl::new(&self.0).map(|ssl| ConnectConfiguration { + ssl, + sni: true, + verify_hostname: true, + }) } } @@ -228,7 +227,9 @@ impl ConnectConfiguration { where S: Read + Write, { - self.use_server_name_indication(false).verify_hostname(false).connect("", stream) + self.use_server_name_indication(false) + .verify_hostname(false) + .connect("", stream) } } @@ -379,9 +380,9 @@ impl DerefMut for SslAcceptorBuilder { #[cfg(ossl101)] fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { use ec::EcKey; - use nid; + use nid::Nid; - let curve = EcKey::from_curve_name(nid::X9_62_PRIME256V1)?; + let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?; ctx.set_tmp_ecdh(&curve) } @@ -415,12 +416,12 @@ impl SslAcceptor { #[cfg(any(ossl102, ossl110))] fn setup_verify(ctx: &mut SslContextBuilder) { - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); } #[cfg(ossl101)] fn setup_verify(ctx: &mut SslContextBuilder) { - ctx.set_verify_callback(SSL_VERIFY_PEER, |p, x509| { + ctx.set_verify_callback(SslVerifyMode::PEER, |p, x509| { let hostname = match x509.ssl() { Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX), _ => None, @@ -435,7 +436,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { #[cfg(any(ossl102, ossl110))] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let param = ssl._param_mut(); - param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS); match domain.parse() { Ok(ip) => param.set_ip(ip), Err(_) => param.set_host(domain), @@ -454,7 +455,7 @@ mod verify { use std::net::IpAddr; use std::str; - use nid; + use nid::Nid; use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContextRef}; use stack::Stack; @@ -506,7 +507,7 @@ mod verify { } fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool { - match subject_name.entries_by_nid(nid::COMMONNAME).next() { + match subject_name.entries_by_nid(Nid::COMMONNAME).next() { Some(pattern) => { let pattern = match str::from_utf8(pattern.data().as_slice()) { Ok(pattern) => pattern, @@ -516,7 +517,10 @@ mod verify { // Unlike SANs, IP addresses in the subject name don't have a // different encoding. match domain.parse::<IpAddr>() { - Ok(ip) => pattern.parse::<IpAddr>().ok().map_or(false, |pattern| pattern == ip), + Ok(ip) => pattern + .parse::<IpAddr>() + .ok() + .map_or(false, |pattern| pattern == ip), Err(_) => matches_dns(pattern, domain), } } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e7286163..371b66c0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -97,7 +97,7 @@ use dh::{Dh, DhRef}; use ec::EcKeyRef; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] use ec::EcKey; -use x509::{X509, X509FileType, X509Name, X509Ref, X509StoreContextRef, X509VerifyError}; +use x509::{X509, X509Filetype, X509Name, X509Ref, X509StoreContextRef, X509VerifyError}; use x509::store::{X509StoreBuilderRef, X509StoreRef}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] use x509::store::X509Store; @@ -121,106 +121,85 @@ mod bio; #[cfg(test)] mod tests; -// FIXME drop SSL_ prefix -// FIXME remvove flags not used in OpenSSL 1.1 bitflags! { /// Options controlling the behavior of an `SslContext`. - pub struct SslOption: c_ulong { - // FIXME remove - const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG; - // FIXME remove - const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG; - // FIXME remove - const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = - ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; - // FIXME remove - const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; - // FIXME remove - const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG; - // FIXME remove - const SSL_OP_TLS_D5_BUG = ffi::SSL_OP_TLS_D5_BUG; - // FIXME remove - const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG; - - // FIXME remove? not documented anywhere - const SSL_OP_CISCO_ANYCONNECT = ffi::SSL_OP_CISCO_ANYCONNECT; - + pub struct SslOptions: c_ulong { /// Disables a countermeasure against an SSLv3/TLSv1.0 vulnerability affecting CBC ciphers. - const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + const DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; /// A "reasonable default" set of options which enables compatibility flags. - const SSL_OP_ALL = ffi::SSL_OP_ALL; + const ALL = ffi::SSL_OP_ALL; /// Do not query the MTU. /// /// Only affects DTLS connections. - const SSL_OP_NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU; + const NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU; /// Enables Cookie Exchange as described in [RFC 4347 Section 4.2.1]. /// /// Only affects DTLS connections. /// /// [RFC 4347 Section 4.2.1]: https://tools.ietf.org/html/rfc4347#section-4.2.1 - const SSL_OP_COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE; + const COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE; /// Disables the use of session tickets for session resumption. - const SSL_OP_NO_TICKET = ffi::SSL_OP_NO_TICKET; + const NO_TICKET = ffi::SSL_OP_NO_TICKET; /// Always start a new session when performing a renegotiation on the server side. - const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = + const NO_SESSION_RESUMPTION_ON_RENEGOTIATION = ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; /// Disables the use of TLS compression. - const SSL_OP_NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION; + const NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION; /// Allow legacy insecure renegotiation with servers or clients that do not support secure /// renegotiation. - const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = + const ALLOW_UNSAFE_LEGACY_RENEGOTIATION = ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; /// Creates a new key for each session when using ECDHE. /// /// This is always enabled in OpenSSL 1.1.0. - const SSL_OP_SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE; + const SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE; /// Creates a new key for each session when using DHE. /// /// This is always enabled in OpenSSL 1.1.0. - const SSL_OP_SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE; + const SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE; /// Use the server's preferences rather than the client's when selecting a cipher. /// /// This has no effect on the client side. - const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE; + const CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE; /// Disables version rollback attach detection. - const SSL_OP_TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG; + const TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG; /// Disables the use of SSLv2. - const SSL_OP_NO_SSLV2 = ffi::SSL_OP_NO_SSLv2; + const NO_SSLV2 = ffi::SSL_OP_NO_SSLv2; /// Disables the use of SSLv3. - const SSL_OP_NO_SSLV3 = ffi::SSL_OP_NO_SSLv3; + const NO_SSLV3 = ffi::SSL_OP_NO_SSLv3; /// Disables the use of TLSv1.0. - const SSL_OP_NO_TLSV1 = ffi::SSL_OP_NO_TLSv1; + const NO_TLSV1 = ffi::SSL_OP_NO_TLSv1; /// Disables the use of TLSv1.1. - const SSL_OP_NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1; + const NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1; /// Disables the use of TLSv1.2. - const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; + const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; /// Disables the use of DTLSv1.0 /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; + const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; + const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disables the use of all (D)TLS protocol versions. /// @@ -233,12 +212,12 @@ bitflags! { /// Only support TLSv1.2: /// /// ```rust - /// use openssl::ssl::{SSL_OP_NO_SSL_MASK, SSL_OP_NO_TLSV1_2}; + /// use openssl::ssl::SslOptions; /// - /// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2; + /// let options = SslOptions::NO_SSL_MASK & !SslOptions::NO_TLSV1_2; /// ``` #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] - const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; + const NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; } } @@ -250,11 +229,11 @@ bitflags! { /// Normally, a write in OpenSSL will always write out all of the requested data, even if it /// requires more than one TLS record or write to the underlying stream. This option will /// cause a write to return after writing a single TLS record instead. - const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE; + const ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE; /// Disables a check that the data buffer has not moved between calls when operating in a /// nonblocking context. - const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; + const ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; /// Enables automatic retries after TLS session events such as renegotiations or heartbeats. /// @@ -265,25 +244,19 @@ bitflags! { /// Note that `SslStream::read` and `SslStream::write` will automatically retry regardless /// of the state of this option. It only affects `SslStream::ssl_read` and /// `SslStream::ssl_write`. - const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY; + const AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY; /// Disables automatic chain building when verifying a peer's certificate. /// /// TLS peers are responsible for sending the entire certificate chain from the leaf to a /// trusted root, but some will incorrectly not do so. OpenSSL will try to build the chain /// out of certificates it knows of, and this option will disable that behavior. - const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN; + const NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN; /// Release memory buffers when the session does not need them. /// /// This saves ~34 KiB of memory for idle streams. - const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS; - - // FIXME remove - #[cfg(not(libressl))] - const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME; - #[cfg(not(libressl))] - const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME; + const RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS; /// Sends the fake `TLS_FALLBACK_SCSV` cipher suite in the ClientHello message of a /// handshake. @@ -293,7 +266,7 @@ bitflags! { /// /// Do not use this unless you know what you're doing! #[cfg(not(libressl))] - const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV; + const SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV; } } @@ -335,19 +308,19 @@ bitflags! { /// Verifies that the peer's certificate is trusted. /// /// On the server side, this will cause OpenSSL to request a certificate from the client. - const SSL_VERIFY_PEER = ::ffi::SSL_VERIFY_PEER; + const PEER = ::ffi::SSL_VERIFY_PEER; /// Disables verification of the peer's certificate. /// /// On the server side, this will cause OpenSSL to not request a certificate from the /// client. On the client side, the certificate will be checked for validity, but the /// negotiation will continue regardless of the result of that check. - const SSL_VERIFY_NONE = ::ffi::SSL_VERIFY_NONE; + const NONE = ::ffi::SSL_VERIFY_NONE; /// On the server side, abort the handshake if the client did not send a certificate. /// /// This should be paired with `SSL_VERIFY_PEER`. It has no effect on the client side. - const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + const FAIL_IF_NO_PEER_CERT = ::ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT; } } @@ -365,10 +338,10 @@ impl StatusType { pub fn as_raw(&self) -> c_int { self.0 } -} -/// An OSCP status. -pub const STATUS_TYPE_OCSP: StatusType = StatusType(ffi::TLSEXT_STATUSTYPE_ocsp); + /// An OSCP status. + pub const OCSP: StatusType = StatusType(ffi::TLSEXT_STATUSTYPE_ocsp); +} lazy_static! { static ref INDEXES: Mutex<HashMap<TypeId, c_int>> = Mutex::new(HashMap::new()); @@ -771,7 +744,7 @@ impl SslContextBuilder { pub fn set_certificate_file<P: AsRef<Path>>( &mut self, file: P, - file_type: X509FileType, + file_type: X509Filetype, ) -> Result<(), ErrorStack> { let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); unsafe { @@ -840,7 +813,7 @@ impl SslContextBuilder { pub fn set_private_key_file<P: AsRef<Path>>( &mut self, file: P, - file_type: X509FileType, + file_type: X509Filetype, ) -> Result<(), ErrorStack> { let file = CString::new(file.as_ref().as_os_str().to_str().unwrap()).unwrap(); unsafe { @@ -900,9 +873,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set_options`]. /// /// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn set_options(&mut self, option: SslOption) -> SslOption { + pub fn set_options(&mut self, option: SslOptions) -> SslOptions { let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Returns the options used by the context. @@ -910,9 +883,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_get_options`]. /// /// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn options(&self) -> SslOption { + pub fn options(&self) -> SslOptions { let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Clears the options used by the context, returning the old set. @@ -920,9 +893,9 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_clear_options`]. /// /// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html - pub fn clear_options(&mut self, option: SslOption) -> SslOption { + pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) }; - SslOption::from_bits(ret).unwrap() + SslOptions::from_bits(ret).unwrap() } /// Set the protocols to be used during Next Protocol Negotiation (the protocols diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index ff1d1c86..365f0168 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -16,13 +16,13 @@ use tempdir::TempDir; use dh::Dh; use hash::MessageDigest; -use ocsp::{OcspResponse, RESPONSE_STATUS_UNAUTHORIZED}; +use ocsp::{OcspResponse, OcspResponseStatus}; use ssl; use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptorBuilder, SslConnectorBuilder, - SslContext, SslMethod, SslStream, SSL_VERIFY_NONE, SSL_VERIFY_PEER, STATUS_TYPE_OCSP}; -use x509::{X509, X509Name, X509StoreContext, X509_FILETYPE_PEM}; + SslContext, SslMethod, SslStream, SslVerifyMode, StatusType}; +use x509::{X509, X509Filetype, X509Name, X509StoreContext}; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] -use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; +use x509::verify::X509CheckFlags; use pkey::PKey; use std::net::UdpSocket; @@ -131,8 +131,7 @@ macro_rules! run_test( use std::net::TcpStream; use ssl; use ssl::SslMethod; - use ssl::{SslContext, Ssl, SslStream}; - use ssl::SSL_VERIFY_PEER; + use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions}; use hash::MessageDigest; use x509::X509StoreContext; #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] @@ -160,7 +159,7 @@ run_test!(new_ctx, |method, _| { run_test!(verify_untrusted, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match Ssl::new(&ctx.build()).unwrap().connect(stream) { Ok(_) => panic!("expected failure"), @@ -170,7 +169,7 @@ run_test!(verify_untrusted, |method, stream| { run_test!(verify_trusted, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -189,7 +188,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| { store.add_cert(x509).unwrap(); let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); match ctx.set_verify_cert_store(store.build()) { Ok(_) => {} @@ -203,7 +202,7 @@ run_test!(verify_trusted_with_set_cert, |method, stream| { run_test!(verify_untrusted_callback_override_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true); match Ssl::new(&ctx.build()).unwrap().connect(stream) { Ok(_) => (), @@ -213,14 +212,14 @@ run_test!(verify_untrusted_callback_override_ok, |method, stream| { run_test!(verify_untrusted_callback_override_bad, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false); assert!(Ssl::new(&ctx.build()).unwrap().connect(stream).is_err()); }); run_test!(verify_trusted_callback_override_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| true); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| true); match ctx.set_ca_file(&Path::new("test/cert.pem")) { Ok(_) => {} @@ -234,7 +233,7 @@ run_test!(verify_trusted_callback_override_ok, |method, stream| { run_test!(verify_trusted_callback_override_bad, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, _| false); + ctx.set_verify_callback(SslVerifyMode::PEER, |_, _| false); match ctx.set_ca_file(&Path::new("test/cert.pem")) { Ok(_) => {} @@ -245,7 +244,7 @@ run_test!(verify_trusted_callback_override_bad, |method, stream| { run_test!(verify_callback_load_certs, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.current_cert().is_some()); true }); @@ -255,7 +254,7 @@ run_test!(verify_callback_load_certs, |method, stream| { run_test!(verify_trusted_get_error_ok, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.error().is_none()); true }); @@ -269,7 +268,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| { run_test!(verify_trusted_get_error_err, |method, stream| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, |_, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, |_, x509_ctx| { assert!(x509_ctx.error().is_some()); false }); @@ -286,7 +285,7 @@ run_test!(verify_callback_data, |method, stream| { // Please update if "test/cert.pem" will ever change let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - ctx.set_verify_callback(SSL_VERIFY_PEER, move |_preverify_ok, x509_ctx| { + ctx.set_verify_callback(SslVerifyMode::PEER, move |_preverify_ok, x509_ctx| { let cert = x509_ctx.current_cert(); match cert { None => false, @@ -314,7 +313,7 @@ run_test!(ssl_verify_callback, |method, stream| { let node_hash_str = "59172d9313e84459bcff27f967e79e6e9217e584"; let node_id = Vec::from_hex(node_hash_str).unwrap(); - ssl.set_verify_callback(SSL_VERIFY_PEER, move |_, x509| { + ssl.set_verify_callback(SslVerifyMode::PEER, move |_, x509| { CHECKED.store(1, Ordering::SeqCst); match x509.current_cert() { None => false, @@ -349,10 +348,10 @@ fn test_write_hits_stream() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_verify(SslVerifyMode::PEER); + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); let stream = listener.accept().unwrap().0; let mut stream = Ssl::new(&ctx.build()).unwrap().accept(stream).unwrap(); @@ -384,15 +383,15 @@ run_test!(get_ctx_options, |method, _| { run_test!(set_ctx_options, |method, _| { let mut ctx = SslContext::builder(method).unwrap(); - let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET); - assert!(opts.contains(ssl::SSL_OP_NO_TICKET)); + let opts = ctx.set_options(SslOptions::NO_TICKET); + assert!(opts.contains(SslOptions::NO_TICKET)); }); run_test!(clear_ctx_options, |method, _| { let mut ctx = SslContext::builder(method).unwrap(); - ctx.set_options(ssl::SSL_OP_ALL); - let opts = ctx.clear_options(ssl::SSL_OP_ALL); - assert!(!opts.contains(ssl::SSL_OP_ALL)); + ctx.set_options(SslOptions::ALL); + let opts = ctx.clear_options(SslOptions::ALL); + assert!(!opts.contains(SslOptions::ALL)); }); #[test] @@ -481,7 +480,7 @@ fn test_state() { fn test_connect_with_unilateral_alpn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -503,7 +502,7 @@ fn test_connect_with_unilateral_alpn() { fn test_connect_with_unilateral_npn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -525,7 +524,7 @@ fn test_connect_with_unilateral_npn() { fn test_connect_with_alpn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -547,7 +546,7 @@ fn test_connect_with_alpn_successful_multiple_matching() { fn test_connect_with_npn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -570,7 +569,7 @@ fn test_connect_with_npn_successful_multiple_matching() { fn test_connect_with_alpn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -585,7 +584,6 @@ fn test_connect_with_alpn_successful_single_match() { assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap()); } - /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. @@ -594,7 +592,7 @@ fn test_connect_with_alpn_successful_single_match() { fn test_connect_with_npn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -619,13 +617,13 @@ fn test_npn_server_advertise_multiple() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .is_ok() ); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.build() }; @@ -636,7 +634,7 @@ fn test_npn_server_advertise_multiple() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -662,13 +660,13 @@ fn test_alpn_server_advertise_multiple() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .is_ok() ); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.build() }; @@ -679,7 +677,7 @@ fn test_alpn_server_advertise_multiple() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap(); match ctx.set_ca_file(&Path::new("test/root-ca.pem")) { Ok(_) => {} @@ -705,13 +703,13 @@ fn test_alpn_server_select_none() { // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap(); assert!( - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .is_ok() ); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.build() }; @@ -722,7 +720,7 @@ fn test_alpn_server_select_none() { }); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); ctx.set_alpn_protocols(&[b"http/2"]).unwrap(); ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap(); // Now connect to the socket and make sure the protocol negotiation works... @@ -961,7 +959,7 @@ fn refcount_ssl_context() { fn default_verify_paths() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap(); @@ -987,11 +985,11 @@ fn add_extra_chain_cert() { fn verify_valid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.param_mut() - .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); ssl.param_mut().set_host("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); @@ -1011,11 +1009,11 @@ fn verify_valid_hostname() { fn verify_invalid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); - ctx.set_verify(SSL_VERIFY_PEER); + ctx.set_verify(SslVerifyMode::PEER); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.param_mut() - .set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); ssl.param_mut().set_host("foobar.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); @@ -1081,7 +1079,7 @@ fn connector_no_hostname_can_disable_verify() { let (_s, tcp) = Server::new(); let mut connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap(); - connector.set_verify(SSL_VERIFY_NONE); + connector.set_verify(SslVerifyMode::NONE); let connector = connector.build(); connector @@ -1164,9 +1162,9 @@ fn shutdown() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); let mut stream = ssl.accept(stream).unwrap(); @@ -1222,9 +1220,9 @@ fn tmp_dh_callback() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.set_tmp_dh_callback(|_, _, _| { CALLED_BACK.store(true, Ordering::SeqCst); @@ -1249,7 +1247,7 @@ fn tmp_dh_callback() { all(feature = "v102", ossl102)))] fn tmp_ecdh_callback() { use ec::EcKey; - use nid; + use nid::Nid; static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT; @@ -1259,13 +1257,13 @@ fn tmp_ecdh_callback() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.set_tmp_ecdh_callback(|_, _, _| { CALLED_BACK.store(true, Ordering::SeqCst); - EcKey::new_by_curve_name(nid::X9_62_PRIME256V1) + EcKey::new_by_curve_name(Nid::X9_62_PRIME256V1) }); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.accept(stream).unwrap(); @@ -1290,9 +1288,9 @@ fn tmp_dh_callback_ssl() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_tmp_dh_callback(|_, _, _| { @@ -1317,7 +1315,7 @@ fn tmp_dh_callback_ssl() { all(feature = "v102", ossl102)))] fn tmp_ecdh_callback_ssl() { use ec::EcKey; - use nid; + use nid::Nid; static CALLED_BACK: AtomicBool = ATOMIC_BOOL_INIT; @@ -1327,14 +1325,14 @@ fn tmp_ecdh_callback_ssl() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_tmp_ecdh_callback(|_, _, _| { CALLED_BACK.store(true, Ordering::SeqCst); - EcKey::new_by_curve_name(nid::X9_62_PRIME256V1) + EcKey::new_by_curve_name(Nid::X9_62_PRIME256V1) }); ssl.accept(stream).unwrap(); }); @@ -1382,13 +1380,13 @@ fn status_callbacks() { let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_certificate_file(&Path::new("test/cert.pem"), X509_FILETYPE_PEM) + ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM) .unwrap(); - ctx.set_private_key_file(&Path::new("test/key.pem"), X509_FILETYPE_PEM) + ctx.set_private_key_file(&Path::new("test/key.pem"), X509Filetype::PEM) .unwrap(); ctx.set_status_callback(|ssl| { CALLED_BACK_SERVER.store(true, Ordering::SeqCst); - let response = OcspResponse::create(RESPONSE_STATUS_UNAUTHORIZED, None).unwrap(); + let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap(); let response = response.to_der().unwrap(); ssl.set_ocsp_status(&response).unwrap(); Ok(true) @@ -1402,11 +1400,11 @@ fn status_callbacks() { ctx.set_status_callback(|ssl| { CALLED_BACK_CLIENT.store(true, Ordering::SeqCst); let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap(); - assert_eq!(response.status(), RESPONSE_STATUS_UNAUTHORIZED); + assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED); Ok(true) }).unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); - ssl.set_status_type(STATUS_TYPE_OCSP).unwrap(); + ssl.set_status_type(StatusType::OCSP).unwrap(); ssl.connect(stream).unwrap(); assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst)); |