diff options
| author | Steven Fackler <[email protected]> | 2016-10-14 17:39:31 -0700 |
|---|---|---|
| committer | Steven Fackler <[email protected]> | 2016-10-14 17:39:31 -0700 |
| commit | af51b263b17faaa3e7cb0ecc5c305b858faea64c (patch) | |
| tree | f575e98381860f043f0835564b8de6b4ad342fdd /openssl/src/ssl | |
| parent | Merge pull request #468 from sfackler/no-link-name (diff) | |
| download | rust-openssl-af51b263b17faaa3e7cb0ecc5c305b858faea64c.tar.xz rust-openssl-af51b263b17faaa3e7cb0ecc5c305b858faea64c.zip | |
Support hostname verification
Closes #206
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/mod.rs | 12 | ||||
| -rw-r--r-- | openssl/src/ssl/tests/mod.rs | 44 |
2 files changed, 56 insertions, 0 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0bd3272b..a3c35f3a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; +#[cfg(feature = "openssl-110")] +use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } + + /// Returns the X509 verification configuration. + /// + /// Requires the `openssl-110` feature. + #[cfg(feature = "openssl-110")] + pub fn param(&mut self) -> X509VerifyParamRef<'a> { + unsafe { + X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) + } + } } pub struct Ssl(SslRef<'static>); diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index f86895e5..6dba713f 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; +#[cfg(feature = "openssl-110")] +use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; +#[cfg(feature = "openssl-110")] +use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-110")] +fn valid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("google.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + let mut socket = SslStream::connect(ssl, s).unwrap(); + + socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); + let mut result = vec![]; + socket.read_to_end(&mut result).unwrap(); + + println!("{}", String::from_utf8_lossy(&result)); + assert!(result.starts_with(b"HTTP/1.0")); + assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>")); +} + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-110")] +fn invalid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("foobar.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + assert!(SslStream::connect(ssl, s).is_err()); +} |