aboutsummaryrefslogtreecommitdiff
path: root/openssl/src/ssl
diff options
context:
space:
mode:
authorSteven Fackler <[email protected]>2018-05-20 11:27:45 -0700
committerSteven Fackler <[email protected]>2018-05-20 12:33:02 -0700
commita6fcef01c0aa71359f583342c813b8db5835178d (patch)
tree33c47b59618e5fe286904462f2d4a540804dd7ef /openssl/src/ssl
parentExpose X509_VERIFY_PARAM on libressl (diff)
downloadrust-openssl-a6fcef01c0aa71359f583342c813b8db5835178d.tar.xz
rust-openssl-a6fcef01c0aa71359f583342c813b8db5835178d.zip
Overhaul openssl cfgs
Also expose hostname verification on libressl
Diffstat (limited to 'openssl/src/ssl')
-rw-r--r--openssl/src/ssl/bio.rs204
-rw-r--r--openssl/src/ssl/callbacks.rs68
-rw-r--r--openssl/src/ssl/connector.rs388
-rw-r--r--openssl/src/ssl/mod.rs233
-rw-r--r--openssl/src/ssl/test.rs4
5 files changed, 438 insertions, 459 deletions
diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs
index 4b792a75..1a149b6d 100644
--- a/openssl/src/ssl/bio.rs
+++ b/openssl/src/ssl/bio.rs
@@ -1,11 +1,13 @@
+use ffi::{
+ self, BIO_clear_retry_flags, BIO_new, BIO_set_retry_read, BIO_set_retry_write, BIO,
+ BIO_CTRL_FLUSH,
+};
use libc::{c_char, c_int, c_long, c_void, strlen};
-use ffi::{BIO, BIO_CTRL_FLUSH, BIO_new, BIO_clear_retry_flags, BIO_set_retry_read,
- BIO_set_retry_write};
use std::any::Any;
use std::io;
use std::io::prelude::*;
use std::mem;
-use std::panic::{AssertUnwindSafe, catch_unwind};
+use std::panic::{catch_unwind, AssertUnwindSafe};
use std::ptr;
use std::slice;
@@ -19,11 +21,11 @@ pub struct StreamState<S> {
}
/// Safe wrapper for BIO_METHOD
-pub struct BioMethod(compat::BIO_METHOD);
+pub struct BioMethod(BIO_METHOD);
impl BioMethod {
fn new<S: Read + Write>() -> BioMethod {
- BioMethod(compat::BIO_METHOD::new::<S>())
+ BioMethod(BIO_METHOD::new::<S>())
}
}
@@ -41,8 +43,8 @@ pub fn new<S: Read + Write>(stream: S) -> Result<(*mut BIO, BioMethod), ErrorSta
unsafe {
let bio = cvt_p(BIO_new(method.0.get()))?;
- compat::BIO_set_data(bio, Box::into_raw(state) as *mut _);
- compat::BIO_set_init(bio, 1);
+ BIO_set_data(bio, Box::into_raw(state) as *mut _);
+ BIO_set_init(bio, 1);
return Ok((bio, method));
}
@@ -59,7 +61,7 @@ pub unsafe fn take_panic<S>(bio: *mut BIO) -> Option<Box<Any + Send>> {
}
pub unsafe fn get_ref<'a, S: 'a>(bio: *mut BIO) -> &'a S {
- let state: &'a StreamState<S> = mem::transmute(compat::BIO_get_data(bio));
+ let state: &'a StreamState<S> = mem::transmute(BIO_get_data(bio));
&state.stream
}
@@ -68,7 +70,7 @@ pub unsafe fn get_mut<'a, S: 'a>(bio: *mut BIO) -> &'a mut S {
}
unsafe fn state<'a, S: 'a>(bio: *mut BIO) -> &'a mut StreamState<S> {
- &mut *(compat::BIO_get_data(bio) as *mut _)
+ &mut *(BIO_get_data(bio) as *mut _)
}
unsafe extern "C" fn bwrite<S: Write>(bio: *mut BIO, buf: *const c_char, len: c_int) -> c_int {
@@ -117,8 +119,7 @@ unsafe extern "C" fn bread<S: Read>(bio: *mut BIO, buf: *mut c_char, len: c_int)
fn retriable_error(err: &io::Error) -> bool {
match err.kind() {
- io::ErrorKind::WouldBlock |
- io::ErrorKind::NotConnected => true,
+ io::ErrorKind::WouldBlock | io::ErrorKind::NotConnected => true,
_ => false,
}
}
@@ -153,10 +154,10 @@ unsafe extern "C" fn ctrl<S: Write>(
}
unsafe extern "C" fn create(bio: *mut BIO) -> c_int {
- compat::BIO_set_init(bio, 0);
- compat::BIO_set_num(bio, 0);
- compat::BIO_set_data(bio, ptr::null_mut());
- compat::BIO_set_flags(bio, 0);
+ BIO_set_init(bio, 0);
+ BIO_set_num(bio, 0);
+ BIO_set_data(bio, ptr::null_mut());
+ BIO_set_flags(bio, 0);
1
}
@@ -165,115 +166,110 @@ unsafe extern "C" fn destroy<S>(bio: *mut BIO) -> c_int {
return 0;
}
- let data = compat::BIO_get_data(bio);
+ let data = BIO_get_data(bio);
assert!(!data.is_null());
Box::<StreamState<S>>::from_raw(data as *mut _);
- compat::BIO_set_data(bio, ptr::null_mut());
- compat::BIO_set_init(bio, 0);
+ BIO_set_data(bio, ptr::null_mut());
+ BIO_set_init(bio, 0);
1
}
-#[cfg(ossl110)]
-#[allow(bad_style)]
-mod compat {
- use std::io::{Read, Write};
-
- use libc::c_int;
- use ffi;
- pub use ffi::{BIO_set_init, BIO_set_flags, BIO_set_data, BIO_get_data};
-
- pub unsafe fn BIO_set_num(_bio: *mut ffi::BIO, _num: c_int) {}
-
- pub struct BIO_METHOD(*mut ffi::BIO_METHOD);
-
- impl BIO_METHOD {
- pub fn new<S: Read + Write>() -> BIO_METHOD {
- unsafe {
- let ptr = ffi::BIO_meth_new(ffi::BIO_TYPE_NONE, b"rust\0".as_ptr() as *const _);
- assert!(!ptr.is_null());
- let ret = BIO_METHOD(ptr);
- assert!(ffi::BIO_meth_set_write(ptr, super::bwrite::<S>) != 0);
- assert!(ffi::BIO_meth_set_read(ptr, super::bread::<S>) != 0);
- assert!(ffi::BIO_meth_set_puts(ptr, super::bputs::<S>) != 0);
- assert!(ffi::BIO_meth_set_ctrl(ptr, super::ctrl::<S>) != 0);
- assert!(ffi::BIO_meth_set_create(ptr, super::create) != 0);
- assert!(ffi::BIO_meth_set_destroy(ptr, super::destroy::<S>) != 0);
- return ret;
+cfg_if! {
+ if #[cfg(ossl110)] {
+ use ffi::{BIO_get_data, BIO_set_data, BIO_set_flags, BIO_set_init};
+
+ #[allow(bad_style)]
+ unsafe fn BIO_set_num(_bio: *mut ffi::BIO, _num: c_int) {}
+
+ #[allow(bad_style)]
+ struct BIO_METHOD(*mut ffi::BIO_METHOD);
+
+ impl BIO_METHOD {
+ fn new<S: Read + Write>() -> BIO_METHOD {
+ unsafe {
+ let ptr = ffi::BIO_meth_new(ffi::BIO_TYPE_NONE, b"rust\0".as_ptr() as *const _);
+ assert!(!ptr.is_null());
+ let ret = BIO_METHOD(ptr);
+ assert!(ffi::BIO_meth_set_write(ptr, bwrite::<S>) != 0);
+ assert!(ffi::BIO_meth_set_read(ptr, bread::<S>) != 0);
+ assert!(ffi::BIO_meth_set_puts(ptr, bputs::<S>) != 0);
+ assert!(ffi::BIO_meth_set_ctrl(ptr, ctrl::<S>) != 0);
+ assert!(ffi::BIO_meth_set_create(ptr, create) != 0);
+ assert!(ffi::BIO_meth_set_destroy(ptr, destroy::<S>) != 0);
+ return ret;
+ }
}
- }
-
- pub fn get(&self) -> *mut ffi::BIO_METHOD {
- self.0
- }
- }
- impl Drop for BIO_METHOD {
- fn drop(&mut self) {
- unsafe {
- ffi::BIO_meth_free(self.0);
+ fn get(&self) -> *mut ffi::BIO_METHOD {
+ self.0
}
}
- }
-}
-#[cfg(ossl10x)]
-#[allow(bad_style)]
-mod compat {
- use std::io::{Read, Write};
-
- use ffi;
- use libc::{c_int, c_void};
-
- pub struct BIO_METHOD(*mut ffi::BIO_METHOD);
-
- impl BIO_METHOD {
- pub fn new<S: Read + Write>() -> BIO_METHOD {
- let ptr = Box::new(ffi::BIO_METHOD {
- type_: ffi::BIO_TYPE_NONE,
- name: b"rust\0".as_ptr() as *const _,
- bwrite: Some(super::bwrite::<S>),
- bread: Some(super::bread::<S>),
- bputs: Some(super::bputs::<S>),
- bgets: None,
- ctrl: Some(super::ctrl::<S>),
- create: Some(super::create),
- destroy: Some(super::destroy::<S>),
- callback_ctrl: None,
- });
-
- BIO_METHOD(Box::into_raw(ptr))
+ impl Drop for BIO_METHOD {
+ fn drop(&mut self) {
+ unsafe {
+ ffi::BIO_meth_free(self.0);
+ }
+ }
}
+ } else {
+ #[allow(bad_style)]
+ struct BIO_METHOD(*mut ffi::BIO_METHOD);
+
+ impl BIO_METHOD {
+ fn new<S: Read + Write>() -> BIO_METHOD {
+ let ptr = Box::new(ffi::BIO_METHOD {
+ type_: ffi::BIO_TYPE_NONE,
+ name: b"rust\0".as_ptr() as *const _,
+ bwrite: Some(bwrite::<S>),
+ bread: Some(bread::<S>),
+ bputs: Some(bputs::<S>),
+ bgets: None,
+ ctrl: Some(ctrl::<S>),
+ create: Some(create),
+ destroy: Some(destroy::<S>),
+ callback_ctrl: None,
+ });
+
+ BIO_METHOD(Box::into_raw(ptr))
+ }
- pub fn get(&self) -> *mut ffi::BIO_METHOD {
- self.0
+ fn get(&self) -> *mut ffi::BIO_METHOD {
+ self.0
+ }
}
- }
- impl Drop for BIO_METHOD {
- fn drop(&mut self) {
- unsafe {
- Box::<ffi::BIO_METHOD>::from_raw(self.0);
+ impl Drop for BIO_METHOD {
+ fn drop(&mut self) {
+ unsafe {
+ Box::<ffi::BIO_METHOD>::from_raw(self.0);
+ }
}
}
- }
- pub unsafe fn BIO_set_init(bio: *mut ffi::BIO, init: c_int) {
- (*bio).init = init;
- }
+ #[allow(bad_style)]
+ unsafe fn BIO_set_init(bio: *mut ffi::BIO, init: c_int) {
+ (*bio).init = init;
+ }
- pub unsafe fn BIO_set_flags(bio: *mut ffi::BIO, flags: c_int) {
- (*bio).flags = flags;
- }
+ #[allow(bad_style)]
+ unsafe fn BIO_set_flags(bio: *mut ffi::BIO, flags: c_int) {
+ (*bio).flags = flags;
+ }
- pub unsafe fn BIO_get_data(bio: *mut ffi::BIO) -> *mut c_void {
- (*bio).ptr
- }
+ #[allow(bad_style)]
+ unsafe fn BIO_get_data(bio: *mut ffi::BIO) -> *mut c_void {
+ (*bio).ptr
+ }
- pub unsafe fn BIO_set_data(bio: *mut ffi::BIO, data: *mut c_void) {
- (*bio).ptr = data;
- }
+ #[allow(bad_style)]
+ unsafe fn BIO_set_data(bio: *mut ffi::BIO, data: *mut c_void) {
+ (*bio).ptr = data;
+ }
- pub unsafe fn BIO_set_num(bio: *mut ffi::BIO, num: c_int) {
- (*bio).num = num;
+ #[allow(bad_style)]
+ unsafe fn BIO_set_num(bio: *mut ffi::BIO, num: c_int) {
+ (*bio).num = num;
+ }
}
}
diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs
index fd5b7ef5..6ec9aef9 100644
--- a/openssl/src/ssl/callbacks.rs
+++ b/openssl/src/ssl/callbacks.rs
@@ -13,11 +13,11 @@ use std::str;
use std::sync::Arc;
use dh::Dh;
-#[cfg(any(ossl101, ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
use ec::EcKey;
use error::ErrorStack;
use pkey::Params;
-#[cfg(any(ossl102, ossl110))]
+#[cfg(ossl102)]
use ssl::AlpnError;
#[cfg(ossl111)]
use ssl::ExtensionContext;
@@ -37,7 +37,8 @@ where
// raw pointer shenanigans to break the borrow of ctx
// the callback can't mess with its own ex_data slot so this is safe
- let verify = ctx.ex_data(ssl_idx)
+ let verify = ctx
+ .ex_data(ssl_idx)
.expect("BUG: store context missing ssl")
.ssl_context()
.ex_data(verify_idx)
@@ -66,7 +67,8 @@ where
let ssl = SslRef::from_ptr_mut(ssl);
let callback_idx = SslContext::cached_ex_index::<F>();
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(callback_idx)
.expect("BUG: psk callback missing") as *const F;
let hint = if hint != ptr::null() {
@@ -96,7 +98,8 @@ where
let ssl_idx = X509StoreContext::ssl_idx().expect("BUG: store context ssl index missing");
let callback_idx = Ssl::cached_ex_index::<Arc<F>>();
- let callback = ctx.ex_data(ssl_idx)
+ let callback = ctx
+ .ex_data(ssl_idx)
.expect("BUG: store context missing ssl")
.ex_data(callback_idx)
.expect("BUG: ssl verify callback missing")
@@ -112,7 +115,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: sni callback missing") as *const F;
let mut alert = SslAlert(*al);
@@ -140,7 +144,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: alpn callback missing") as *const F;
let protos = slice::from_raw_parts(inbuf as *const u8, inlen as usize);
@@ -165,7 +170,8 @@ where
F: Fn(&mut SslRef, bool, u32) -> Result<Dh<Params>, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: tmp dh callback missing") as *const F;
@@ -182,7 +188,7 @@ where
}
}
-#[cfg(any(ossl101, ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
pub unsafe extern "C" fn raw_tmp_ecdh<F>(
ssl: *mut ffi::SSL,
is_export: c_int,
@@ -192,7 +198,8 @@ where
F: Fn(&mut SslRef, bool, u32) -> Result<EcKey<Params>, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: tmp ecdh callback missing") as *const F;
@@ -218,7 +225,8 @@ where
F: Fn(&mut SslRef, bool, u32) -> Result<Dh<Params>, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ex_data(Ssl::cached_ex_index::<Arc<F>>())
+ let callback = ssl
+ .ex_data(Ssl::cached_ex_index::<Arc<F>>())
.expect("BUG: ssl tmp dh callback missing")
.clone();
@@ -235,7 +243,7 @@ where
}
}
-#[cfg(any(ossl101, ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
pub unsafe extern "C" fn raw_tmp_ecdh_ssl<F>(
ssl: *mut ffi::SSL,
is_export: c_int,
@@ -245,7 +253,8 @@ where
F: Fn(&mut SslRef, bool, u32) -> Result<EcKey<Params>, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ex_data(Ssl::cached_ex_index::<Arc<F>>())
+ let callback = ssl
+ .ex_data(Ssl::cached_ex_index::<Arc<F>>())
.expect("BUG: ssl tmp ecdh callback missing")
.clone();
@@ -267,7 +276,8 @@ where
F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: ocsp callback missing") as *const F;
let ret = (*callback)(ssl);
@@ -301,7 +311,8 @@ where
F: Fn(&mut SslRef, SslSession) + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: new session callback missing") as *const F;
let session = SslSession::from_ptr(session);
@@ -319,7 +330,8 @@ pub unsafe extern "C" fn raw_remove_session<F>(
F: Fn(&SslContextRef, &SslSessionRef) + 'static + Sync + Send,
{
let ctx = SslContextRef::from_ptr(ctx);
- let callback = ctx.ex_data(SslContext::cached_ex_index::<F>())
+ let callback = ctx
+ .ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: remove session callback missing");
let session = SslSessionRef::from_ptr(session);
@@ -341,7 +353,8 @@ where
F: Fn(&mut SslRef, &[u8]) -> Option<SslSession> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: get session callback missing") as *const F;
let data = slice::from_raw_parts(data as *const u8, len as usize);
@@ -363,7 +376,8 @@ where
F: Fn(&SslRef, &str) + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr(ssl as *mut _);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: get session callback missing");
let line = CStr::from_ptr(line).to_bytes();
@@ -382,7 +396,8 @@ where
F: Fn(&mut SslRef, &mut [u8]) -> Result<usize, ErrorStack> + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: stateless cookie generate callback missing") as *const F;
let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::SSL_COOKIE_LENGTH as usize);
@@ -408,7 +423,8 @@ where
F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send,
{
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: stateless cookie verify callback missing") as *const F;
let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize);
@@ -425,7 +441,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: cookie generate callback missing") as *const F;
// We subtract 1 from DTLS1_COOKIE_LENGTH as the ostensible value, 256, is erroneous but retained for
@@ -461,7 +478,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: cookie verify callback missing") as *const F;
let slice =
@@ -494,7 +512,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: custom ext add callback missing") as *const F;
let ectx = ExtensionContext::from_bits_truncate(context);
@@ -570,7 +589,8 @@ where
{
unsafe {
let ssl = SslRef::from_ptr_mut(ssl);
- let callback = ssl.ssl_context()
+ let callback = ssl
+ .ssl_context()
.ex_data(SslContext::cached_ex_index::<F>())
.expect("BUG: custom ext parse callback missing") as *const F;
let ectx = ExtensionContext::from_bits_truncate(context);
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 9966a5a0..f10a0e23 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -3,16 +3,22 @@ use std::ops::{Deref, DerefMut};
use dh::Dh;
use error::ErrorStack;
-use ssl::{HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions,
- SslRef, SslStream, SslVerifyMode};
+use ssl::{
+ HandshakeError, Ssl, SslContext, SslContextBuilder, SslMethod, SslMode, SslOptions, SslRef,
+ SslStream, SslVerifyMode,
+};
use version;
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
let mut ctx = SslContextBuilder::new(method)?;
- let mut opts = SslOptions::ALL | SslOptions::NO_COMPRESSION | SslOptions::NO_SSLV2
- | SslOptions::NO_SSLV3 | SslOptions::SINGLE_DH_USE
- | SslOptions::SINGLE_ECDH_USE | SslOptions::CIPHER_SERVER_PREFERENCE;
+ let mut opts = SslOptions::ALL
+ | SslOptions::NO_COMPRESSION
+ | SslOptions::NO_SSLV2
+ | SslOptions::NO_SSLV3
+ | SslOptions::SINGLE_DH_USE
+ | SslOptions::SINGLE_ECDH_USE
+ | SslOptions::CIPHER_SERVER_PREFERENCE;
opts &= !SslOptions::DONT_INSERT_EMPTY_FRAGMENTS;
ctx.set_options(opts);
@@ -23,7 +29,7 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
// This is quite a useful optimization for saving memory, but historically
// caused CVEs in OpenSSL pre-1.0.1h, according to
// https://bugs.python.org/issue25672
- if version::number() >= 0x1000108f {
+ if version::number() >= 0x1_00_01_08_0 {
mode |= SslMode::RELEASE_BUFFERS;
}
@@ -277,226 +283,228 @@ impl DerefMut for SslAcceptorBuilder {
}
}
-#[cfg(ossl101)]
-fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
- use ec::EcKey;
- use nid::Nid;
-
- let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?;
- ctx.set_tmp_ecdh(&curve)
-}
-
-#[cfg(ossl102)]
-fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
- ctx.set_ecdh_auto(true)
-}
-
-#[cfg(ossl110)]
-fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
- Ok(())
-}
-
-#[cfg(any(ossl102, ossl110))]
-fn setup_verify(ctx: &mut SslContextBuilder) {
- ctx.set_verify(SslVerifyMode::PEER);
-}
-
-#[cfg(ossl101)]
-fn setup_verify(ctx: &mut SslContextBuilder) {
- ctx.set_verify_callback(SslVerifyMode::PEER, verify::verify_callback);
-}
-
-#[cfg(any(ossl102, ossl110))]
-fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
- use x509::verify::X509CheckFlags;
+cfg_if! {
+ if #[cfg(ossl110)] {
+ fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+ } else if #[cfg(any(ossl102, libressl))] {
+ fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+ ctx.set_ecdh_auto(true)
+ }
+ } else {
+ fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+ use ec::EcKey;
+ use nid::Nid;
- let param = ssl.param_mut();
- param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
- match domain.parse() {
- Ok(ip) => param.set_ip(ip),
- Err(_) => param.set_host(domain),
+ let curve = EcKey::from_curve_name(Nid::X9_62_PRIME256V1)?;
+ ctx.set_tmp_ecdh(&curve)
+ }
}
}
-#[cfg(ossl101)]
-fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
- let domain = domain.to_string();
- ssl.set_ex_data(*verify::HOSTNAME_IDX, domain);
- Ok(())
-}
-
-#[cfg(ossl101)]
-mod verify {
- use std::net::IpAddr;
- use std::str;
-
- use ex_data::Index;
- use nid::Nid;
- use x509::{GeneralName, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef,
- X509VerifyResult};
- use stack::Stack;
- use ssl::Ssl;
+cfg_if! {
+ if #[cfg(any(ossl102, libressl261))] {
+ fn setup_verify(ctx: &mut SslContextBuilder) {
+ ctx.set_verify(SslVerifyMode::PEER);
+ }
- lazy_static! {
- pub static ref HOSTNAME_IDX: Index<Ssl, String> = Ssl::new_ex_index().unwrap();
- }
+ fn setup_verify_hostname(ssl: &mut SslRef, domain: &str) -> Result<(), ErrorStack> {
+ use x509::verify::X509CheckFlags;
- pub fn verify_callback(preverify_ok: bool, x509_ctx: &mut X509StoreContextRef) -> bool {
- if !preverify_ok || x509_ctx.error_depth() != 0 {
- return preverify_ok;
+ let param = ssl.param_mut();
+ param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
+ match domain.parse() {
+ Ok(ip) => param.set_ip(ip),
+ Err(_) => param.set_host(domain),
+ }
+ }
+ } else {
+ fn setup_verify(ctx: &mut SslContextBuilder) {
+ ctx.set_verify_callback(SslVerifyMode::PEER, verify::verify_callback);
}
- let ok = match (
- x509_ctx.current_cert(),
- X509StoreContext::ssl_idx()
- .ok()
- .and_then(|idx| x509_ctx.ex_data(idx))
- .and_then(|ssl| ssl.ex_data(*HOSTNAME_IDX)),
- ) {
- (Some(x509), Some(domain)) => verify_hostname(domain, &x509),
- _ => true,
- };
-
- if !ok {
- x509_ctx.set_error(X509VerifyResult::APPLICATION_VERIFICATION);
+ fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
+ let domain = domain.to_string();
+ ssl.set_ex_data(*verify::HOSTNAME_IDX, domain);
+ Ok(())
}
- ok
- }
+ mod verify {
+ use std::net::IpAddr;
+ use std::str;
+
+ use ex_data::Index;
+ use nid::Nid;
+ use ssl::Ssl;
+ use stack::Stack;
+ use x509::{
+ GeneralName, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef,
+ X509VerifyResult,
+ };
+
+ lazy_static! {
+ pub static ref HOSTNAME_IDX: Index<Ssl, String> = Ssl::new_ex_index().unwrap();
+ }
- fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
- match cert.subject_alt_names() {
- Some(names) => verify_subject_alt_names(domain, names),
- None => verify_subject_name(domain, &cert.subject_name()),
- }
- }
+ pub fn verify_callback(preverify_ok: bool, x509_ctx: &mut X509StoreContextRef) -> bool {
+ if !preverify_ok || x509_ctx.error_depth() != 0 {
+ return preverify_ok;
+ }
+
+ let ok = match (
+ x509_ctx.current_cert(),
+ X509StoreContext::ssl_idx()
+ .ok()
+ .and_then(|idx| x509_ctx.ex_data(idx))
+ .and_then(|ssl| ssl.ex_data(*HOSTNAME_IDX)),
+ ) {
+ (Some(x509), Some(domain)) => verify_hostname(domain, &x509),
+ _ => true,
+ };
- fn verify_subject_alt_names(domain: &str, names: Stack<GeneralName>) -> bool {
- let ip = domain.parse();
+ if !ok {
+ x509_ctx.set_error(X509VerifyResult::APPLICATION_VERIFICATION);
+ }
+
+ ok
+ }
- for name in &names {
- match ip {
- Ok(ip) => {
- if let Some(actual) = name.ipaddress() {
- if matches_ip(&ip, actual) {
- return true;
+ fn verify_hostname(domain: &str, cert: &X509Ref) -> bool {
+ match cert.subject_alt_names() {
+ Some(names) => verify_subject_alt_names(domain, names),
+ None => verify_subject_name(domain, &cert.subject_name()),
+ }
+ }
+
+ fn verify_subject_alt_names(domain: &str, names: Stack<GeneralName>) -> bool {
+ let ip = domain.parse();
+
+ for name in &names {
+ match ip {
+ Ok(ip) => {
+ if let Some(actual) = name.ipaddress() {
+ if matches_ip(&ip, actual) {
+ return true;
+ }
+ }
+ }
+ Err(_) => {
+ if let Some(pattern) = name.dnsname() {
+ if matches_dns(pattern, domain) {
+ return true;
+ }
+ }
}
}
}
- Err(_) => {
- if let Some(pattern) = name.dnsname() {
- if matches_dns(pattern, domain) {
- return true;
+
+ false
+ }
+
+ fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
+ match subject_name.entries_by_nid(Nid::COMMONNAME).next() {
+ Some(pattern) => {
+ let pattern = match str::from_utf8(pattern.data().as_slice()) {
+ Ok(pattern) => pattern,
+ Err(_) => return false,
+ };
+
+ // Unlike SANs, IP addresses in the subject name don't have a
+ // different encoding.
+ match domain.parse::<IpAddr>() {
+ Ok(ip) => pattern
+ .parse::<IpAddr>()
+ .ok()
+ .map_or(false, |pattern| pattern == ip),
+ Err(_) => matches_dns(pattern, domain),
}
}
+ None => false,
}
}
- }
- false
- }
-
- fn verify_subject_name(domain: &str, subject_name: &X509NameRef) -> bool {
- match subject_name.entries_by_nid(Nid::COMMONNAME).next() {
- Some(pattern) => {
- let pattern = match str::from_utf8(pattern.data().as_slice()) {
- Ok(pattern) => pattern,
- Err(_) => return false,
- };
-
- // Unlike SANs, IP addresses in the subject name don't have a
- // different encoding.
- match domain.parse::<IpAddr>() {
- Ok(ip) => pattern
- .parse::<IpAddr>()
- .ok()
- .map_or(false, |pattern| pattern == ip),
- Err(_) => matches_dns(pattern, domain),
+ fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool {
+ // first strip trailing . off of pattern and hostname to normalize
+ if pattern.ends_with('.') {
+ pattern = &pattern[..pattern.len() - 1];
}
+ if hostname.ends_with('.') {
+ hostname = &hostname[..hostname.len() - 1];
+ }
+
+ matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern == hostname)
}
- None => false,
- }
- }
- fn matches_dns(mut pattern: &str, mut hostname: &str) -> bool {
- // first strip trailing . off of pattern and hostname to normalize
- if pattern.ends_with('.') {
- pattern = &pattern[..pattern.len() - 1];
- }
- if hostname.ends_with('.') {
- hostname = &hostname[..hostname.len() - 1];
- }
+ fn matches_wildcard(pattern: &str, hostname: &str) -> Option<bool> {
+ // internationalized domains can't involved in wildcards
+ if pattern.starts_with("xn--") {
+ return None;
+ }
- matches_wildcard(pattern, hostname).unwrap_or_else(|| pattern == hostname)
- }
+ let wildcard_location = match pattern.find('*') {
+ Some(l) => l,
+ None => return None,
+ };
- fn matches_wildcard(pattern: &str, hostname: &str) -> Option<bool> {
- // internationalized domains can't involved in wildcards
- if pattern.starts_with("xn--") {
- return None;
- }
+ let mut dot_idxs = pattern.match_indices('.').map(|(l, _)| l);
+ let wildcard_end = match dot_idxs.next() {
+ Some(l) => l,
+ None => return None,
+ };
- let wildcard_location = match pattern.find('*') {
- Some(l) => l,
- None => return None,
- };
-
- let mut dot_idxs = pattern.match_indices('.').map(|(l, _)| l);
- let wildcard_end = match dot_idxs.next() {
- Some(l) => l,
- None => return None,
- };
-
- // Never match wildcards if the pattern has less than 2 '.'s (no *.com)
- //
- // This is a bit dubious, as it doesn't disallow other TLDs like *.co.uk.
- // Chrome has a black- and white-list for this, but Firefox (via NSS) does
- // the same thing we do here.
- //
- // The Public Suffix (https://www.publicsuffix.org/) list could
- // potentially be used here, but it's both huge and updated frequently
- // enough that management would be a PITA.
- if dot_idxs.next().is_none() {
- return None;
- }
+ // Never match wildcards if the pattern has less than 2 '.'s (no *.com)
+ //
+ // This is a bit dubious, as it doesn't disallow other TLDs like *.co.uk.
+ // Chrome has a black- and white-list for this, but Firefox (via NSS) does
+ // the same thing we do here.
+ //
+ // The Public Suffix (https://www.publicsuffix.org/) list could
+ // potentially be used here, but it's both huge and updated frequently
+ // enough that management would be a PITA.
+ if dot_idxs.next().is_none() {
+ return None;
+ }
- // Wildcards can only be in the first component
- if wildcard_location > wildcard_end {
- return None;
- }
+ // Wildcards can only be in the first component
+ if wildcard_location > wildcard_end {
+ return None;
+ }
- let hostname_label_end = match hostname.find('.') {
- Some(l) => l,
- None => return None,
- };
+ let hostname_label_end = match hostname.find('.') {
+ Some(l) => l,
+ None => return None,
+ };
- // check that the non-wildcard parts are identical
- if pattern[wildcard_end..] != hostname[hostname_label_end..] {
- return Some(false);
- }
+ // check that the non-wildcard parts are identical
+ if pattern[wildcard_end..] != hostname[hostname_label_end..] {
+ return Some(false);
+ }
- let wildcard_prefix = &pattern[..wildcard_location];
- let wildcard_suffix = &pattern[wildcard_location + 1..wildcard_end];
+ let wildcard_prefix = &pattern[..wildcard_location];
+ let wildcard_suffix = &pattern[wildcard_location + 1..wildcard_end];
- let hostname_label = &hostname[..hostname_label_end];
+ let hostname_label = &hostname[..hostname_label_end];
- // check the prefix of the first label
- if !hostname_label.starts_with(wildcard_prefix) {
- return Some(false);
- }
+ // check the prefix of the first label
+ if !hostname_label.starts_with(wildcard_prefix) {
+ return Some(false);
+ }
- // and the suffix
- if !hostname_label[wildcard_prefix.len()..].ends_with(wildcard_suffix) {
- return Some(false);
- }
+ // and the suffix
+ if !hostname_label[wildcard_prefix.len()..].ends_with(wildcard_suffix) {
+ return Some(false);
+ }
- Some(true)
- }
+ Some(true)
+ }
- fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
- match *expected {
- IpAddr::V4(ref addr) => actual == addr.octets(),
- IpAddr::V6(ref addr) => actual == addr.octets(),
+ fn matches_ip(expected: &IpAddr, actual: &[u8]) -> bool {
+ match *expected {
+ IpAddr::V4(ref addr) => actual == addr.octets(),
+ IpAddr::V6(ref addr) => actual == addr.octets(),
+ }
+ }
}
}
}
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index adec060c..ce9c4b1d 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -78,7 +78,7 @@ use std::str;
use std::sync::{Arc, Mutex};
use dh::{Dh, DhRef};
-#[cfg(any(ossl101, ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
use ec::EcKey;
use ec::EcKeyRef;
use error::ErrorStack;
@@ -91,10 +91,10 @@ use ssl::bio::BioMethod;
use ssl::callbacks::*;
use ssl::error::InnerError;
use stack::{Stack, StackRef};
-#[cfg(any(ossl102, ossl110))]
+#[cfg(ossl102)]
use x509::store::X509Store;
use x509::store::{X509StoreBuilderRef, X509StoreRef};
-#[cfg(any(ossl102, ossl110))]
+#[cfg(any(ossl102, libressl261))]
use x509::verify::X509VerifyParamRef;
use x509::{X509, X509Name, X509Ref, X509StoreContextRef, X509VerifyResult};
use {cvt, cvt_n, cvt_p, init};
@@ -284,7 +284,7 @@ impl SslMethod {
/// This corresponds to `TLS_method` on OpenSSL 1.1.0 and `SSLv23_method`
/// on OpenSSL 1.0.x.
pub fn tls() -> SslMethod {
- SslMethod(compat::tls_method())
+ unsafe { SslMethod(TLS_method()) }
}
/// Support all versions of the DTLS protocol.
@@ -292,7 +292,7 @@ impl SslMethod {
/// This corresponds to `DTLS_method` on OpenSSL 1.1.0 and `DTLSv1_method`
/// on OpenSSL 1.0.x.
pub fn dtls() -> SslMethod {
- SslMethod(compat::dtls_method())
+ unsafe { SslMethod(DTLS_method()) }
}
/// Constructs an `SslMethod` from a pointer to the underlying OpenSSL value.
@@ -767,7 +767,7 @@ impl SslContextBuilder {
/// Requires OpenSSL 1.0.1 or 1.0.2.
///
/// This corresponds to `SSL_CTX_set_tmp_ecdh_callback`.
- #[cfg(any(ossl101, ossl102))]
+ #[cfg(all(ossl101, not(ossl110)))]
pub fn set_tmp_ecdh_callback<F>(&mut self, callback: F)
where
F: Fn(&mut SslRef, bool, u32) -> Result<EcKey<Params>, ErrorStack> + 'static + Sync + Send,
@@ -976,7 +976,7 @@ impl SslContextBuilder {
/// This corresponds to [`SSL_CTX_set_ecdh_auto`].
///
/// [`SSL_CTX_set_ecdh_auto`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_ecdh_auto.html
- #[cfg(any(ossl102, libressl))]
+ #[cfg(any(libressl, all(ossl102, not(ossl110))))]
pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
}
@@ -992,7 +992,7 @@ impl SslContextBuilder {
///
/// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
pub fn set_options(&mut self, option: SslOptions) -> SslOptions {
- let bits = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
+ let bits = unsafe { ffi::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
SslOptions { bits }
}
@@ -1002,7 +1002,7 @@ impl SslContextBuilder {
///
/// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
pub fn options(&self) -> SslOptions {
- let bits = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
+ let bits = unsafe { ffi::SSL_CTX_get_options(self.as_ptr()) };
SslOptions { bits }
}
@@ -1012,7 +1012,7 @@ impl SslContextBuilder {
///
/// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
pub fn clear_options(&mut self, option: SslOptions) -> SslOptions {
- let bits = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
+ let bits = unsafe { ffi::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
SslOptions { bits }
}
@@ -1514,7 +1514,7 @@ foreign_type_and_impl_send_sync! {
impl Clone for SslContext {
fn clone(&self) -> Self {
unsafe {
- compat::SSL_CTX_up_ref(self.as_ptr());
+ SSL_CTX_up_ref(self.as_ptr());
SslContext::from_ptr(self.as_ptr())
}
}
@@ -1547,7 +1547,7 @@ impl SslContext {
{
unsafe {
ffi::init();
- let idx = cvt_n(compat::get_new_idx(free_data_box::<T>))?;
+ let idx = cvt_n(get_new_idx(free_data_box::<T>))?;
Ok(Index::from_raw(idx))
}
}
@@ -1833,7 +1833,7 @@ impl ToOwned for SslSessionRef {
fn to_owned(&self) -> SslSession {
unsafe {
- compat::SSL_SESSION_up_ref(self.as_ptr());
+ SSL_SESSION_up_ref(self.as_ptr());
SslSession(self.as_ptr())
}
}
@@ -1859,7 +1859,7 @@ impl SslSessionRef {
///
/// [`SSL_SESSION_get_master_key`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_SESSION_get_master_key.html
pub fn master_key_len(&self) -> usize {
- unsafe { compat::SSL_SESSION_get_master_key(self.as_ptr(), ptr::null_mut(), 0) }
+ unsafe { SSL_SESSION_get_master_key(self.as_ptr(), ptr::null_mut(), 0) }
}
/// Copies the master key into the provided buffer.
@@ -1870,7 +1870,7 @@ impl SslSessionRef {
///
/// [`SSL_SESSION_get_master_key`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_SESSION_get_master_key.html
pub fn master_key(&self, buf: &mut [u8]) -> usize {
- unsafe { compat::SSL_SESSION_get_master_key(self.as_ptr(), buf.as_mut_ptr(), buf.len()) }
+ unsafe { SSL_SESSION_get_master_key(self.as_ptr(), buf.as_mut_ptr(), buf.len()) }
}
to_der! {
@@ -1926,7 +1926,7 @@ impl Ssl {
{
unsafe {
ffi::init();
- let idx = cvt_n(compat::get_new_ssl_idx(free_data_box::<T>))?;
+ let idx = cvt_n(get_new_ssl_idx(free_data_box::<T>))?;
Ok(Index::from_raw(idx))
}
}
@@ -2091,7 +2091,7 @@ impl SslRef {
/// This corresponds to `SSL_set_tmp_ecdh_callback`.
///
/// [`SslContextBuilder::set_tmp_ecdh_callback`]: struct.SslContextBuilder.html#method.set_tmp_ecdh_callback
- #[cfg(any(ossl101, ossl102))]
+ #[cfg(any(all(ossl101, not(ossl110))))]
pub fn set_tmp_ecdh_callback<F>(&mut self, callback: F)
where
F: Fn(&mut SslRef, bool, u32) -> Result<EcKey<Params>, ErrorStack> + 'static + Sync + Send,
@@ -2111,7 +2111,7 @@ impl SslRef {
///
/// [`SslContextBuilder::set_tmp_ecdh`]: struct.SslContextBuilder.html#method.set_tmp_ecdh
/// [`SSL_set_ecdh_auto`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_ecdh_auto.html
- #[cfg(ossl102)]
+ #[cfg(all(ossl102, not(ossl110)))]
pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::SSL_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
}
@@ -2363,7 +2363,7 @@ impl SslRef {
/// This corresponds to [`SSL_get0_param`].
///
/// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html
- #[cfg(any(ossl102, ossl110))]
+ #[cfg(any(ossl102, libressl261))]
pub fn param_mut(&mut self) -> &mut X509VerifyParamRef {
unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) }
}
@@ -2541,7 +2541,7 @@ impl SslRef {
///
/// [`SSL_is_server`]: https://www.openssl.org/docs/manmaster/man3/SSL_is_server.html
pub fn is_server(&self) -> bool {
- unsafe { compat::SSL_is_server(self.as_ptr()) != 0 }
+ unsafe { SSL_is_server(self.as_ptr()) != 0 }
}
/// Sets the extra data at the specified index.
@@ -2987,133 +2987,88 @@ pub enum ShutdownResult {
Received,
}
-#[cfg(ossl110)]
-mod compat {
- use std::ptr;
-
- use ffi;
- use libc::c_int;
-
- pub use ffi::{
- SSL_CTX_clear_options, SSL_CTX_get_options, SSL_CTX_set_options, SSL_CTX_up_ref,
- SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server,
- };
-
- pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
- ffi::CRYPTO_get_ex_new_index(
- ffi::CRYPTO_EX_INDEX_SSL_CTX,
- 0,
- ptr::null_mut(),
- None,
- None,
- Some(f),
- )
- }
-
- pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
- ffi::CRYPTO_get_ex_new_index(
- ffi::CRYPTO_EX_INDEX_SSL,
- 0,
- ptr::null_mut(),
- None,
- None,
- Some(f),
- )
- }
-
- pub fn tls_method() -> *const ffi::SSL_METHOD {
- unsafe { ffi::TLS_method() }
- }
-
- pub fn dtls_method() -> *const ffi::SSL_METHOD {
- unsafe { ffi::DTLS_method() }
- }
-}
-
-#[cfg(ossl10x)]
-#[allow(bad_style)]
-mod compat {
- use std::ptr;
-
- use ffi;
- use libc::{self, c_int, c_long, c_uchar, c_ulong, size_t};
-
- pub unsafe fn SSL_CTX_get_options(ctx: *const ffi::SSL_CTX) -> c_ulong {
- ffi::SSL_CTX_ctrl(ctx as *mut _, ffi::SSL_CTRL_OPTIONS, 0, ptr::null_mut()) as c_ulong
- }
-
- pub unsafe fn SSL_CTX_set_options(ctx: *const ffi::SSL_CTX, op: c_ulong) -> c_ulong {
- ffi::SSL_CTX_ctrl(
- ctx as *mut _,
- ffi::SSL_CTRL_OPTIONS,
- op as c_long,
- ptr::null_mut(),
- ) as c_ulong
- }
-
- pub unsafe fn SSL_CTX_clear_options(ctx: *const ffi::SSL_CTX, op: c_ulong) -> c_ulong {
- ffi::SSL_CTX_ctrl(
- ctx as *mut _,
- ffi::SSL_CTRL_CLEAR_OPTIONS,
- op as c_long,
- ptr::null_mut(),
- ) as c_ulong
- }
-
- pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
- ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
- }
+cfg_if! {
+ if #[cfg(ossl110)] {
+ use ffi::{
+ SSL_CTX_up_ref,
+ SSL_SESSION_get_master_key, SSL_SESSION_up_ref, SSL_is_server, TLS_method, DTLS_method,
+ };
- pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
- ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
- }
+ pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+ ffi::CRYPTO_get_ex_new_index(
+ ffi::CRYPTO_EX_INDEX_SSL_CTX,
+ 0,
+ ptr::null_mut(),
+ None,
+ None,
+ Some(f),
+ )
+ }
- pub unsafe fn SSL_CTX_up_ref(ssl: *mut ffi::SSL_CTX) -> libc::c_int {
- ffi::CRYPTO_add_lock(
- &mut (*ssl).references,
- 1,
- ffi::CRYPTO_LOCK_SSL_CTX,
- "mod.rs\0".as_ptr() as *const _,
- line!() as libc::c_int,
- );
- 0
- }
+ pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+ ffi::CRYPTO_get_ex_new_index(
+ ffi::CRYPTO_EX_INDEX_SSL,
+ 0,
+ ptr::null_mut(),
+ None,
+ None,
+ Some(f),
+ )
+ }
+ } else {
+ use ffi::{SSLv23_method as TLS_method, DTLSv1_method as DTLS_method};
- pub unsafe fn SSL_SESSION_get_master_key(
- session: *const ffi::SSL_SESSION,
- out: *mut c_uchar,
- mut outlen: size_t,
- ) -> size_t {
- if outlen == 0 {
- return (*session).master_key_length as size_t;
+ pub unsafe fn get_new_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+ ffi::SSL_CTX_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
}
- if outlen > (*session).master_key_length as size_t {
- outlen = (*session).master_key_length as size_t;
+
+ pub unsafe fn get_new_ssl_idx(f: ffi::CRYPTO_EX_free) -> c_int {
+ ffi::SSL_get_ex_new_index(0, ptr::null_mut(), None, None, Some(f))
}
- ptr::copy_nonoverlapping((*session).master_key.as_ptr(), out, outlen);
- outlen
- }
- pub fn tls_method() -> *const ffi::SSL_METHOD {
- unsafe { ffi::SSLv23_method() }
- }
+ #[allow(bad_style)]
+ pub unsafe fn SSL_CTX_up_ref(ssl: *mut ffi::SSL_CTX) -> c_int {
+ ffi::CRYPTO_add_lock(
+ &mut (*ssl).references,
+ 1,
+ ffi::CRYPTO_LOCK_SSL_CTX,
+ "mod.rs\0".as_ptr() as *const _,
+ line!() as c_int,
+ );
+ 0
+ }
- pub fn dtls_method() -> *const ffi::SSL_METHOD {
- unsafe { ffi::DTLSv1_method() }
- }
+ #[allow(bad_style)]
+ pub unsafe fn SSL_SESSION_get_master_key(
+ session: *const ffi::SSL_SESSION,
+ out: *mut c_uchar,
+ mut outlen: usize,
+ ) -> usize {
+ if outlen == 0 {
+ return (*session).master_key_length as usize;
+ }
+ if outlen > (*session).master_key_length as usize {
+ outlen = (*session).master_key_length as usize;
+ }
+ ptr::copy_nonoverlapping((*session).master_key.as_ptr(), out, outlen);
+ outlen
+ }
- pub unsafe fn SSL_is_server(s: *mut ffi::SSL) -> c_int {
- (*s).server
- }
+ #[allow(bad_style)]
+ pub unsafe fn SSL_is_server(s: *mut ffi::SSL) -> c_int {
+ (*s).server
+ }
- pub unsafe fn SSL_SESSION_up_ref(ses: *mut ffi::SSL_SESSION) -> c_int {
- ffi::CRYPTO_add_lock(
- &mut (*ses).references,
- 1,
- ffi::CRYPTO_LOCK_SSL_CTX,
- "mod.rs\0".as_ptr() as *const _,
- line!() as libc::c_int,
- );
- 0
+ #[allow(bad_style)]
+ pub unsafe fn SSL_SESSION_up_ref(ses: *mut ffi::SSL_SESSION) -> c_int {
+ ffi::CRYPTO_add_lock(
+ &mut (*ses).references,
+ 1,
+ ffi::CRYPTO_LOCK_SSL_CTX,
+ "mod.rs\0".as_ptr() as *const _,
+ line!() as c_int,
+ );
+ 0
+ }
}
}
diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs
index b90199f0..f2dc4a65 100644
--- a/openssl/src/ssl/test.rs
+++ b/openssl/src/ssl/test.rs
@@ -1063,7 +1063,7 @@ fn tmp_dh_callback() {
}
#[test]
-#[cfg(any(all(ossl101, not(libressl)), ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
fn tmp_ecdh_callback() {
use ec::EcKey;
use nid::Nid;
@@ -1137,7 +1137,7 @@ fn tmp_dh_callback_ssl() {
}
#[test]
-#[cfg(any(all(ossl101, not(libressl)), ossl102))]
+#[cfg(all(ossl101, not(ossl110)))]
fn tmp_ecdh_callback_ssl() {
use ec::EcKey;
use nid::Nid;
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-17 02:34:39 +0000