diff options
| author | Steven Fackler <[email protected]> | 2016-10-14 19:07:33 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2016-10-14 19:07:33 -0700 |
| commit | ed076de2ca00e678a9586c8021b86a2bbe1bff0f (patch) | |
| tree | 7aa7dd167c34fe0c3356e3231c358c4facdf392a /openssl/src/ssl | |
| parent | Merge pull request #468 from sfackler/no-link-name (diff) | |
| parent | Enable hostname verification on 1.0.2 (diff) | |
| download | rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.tar.xz rust-openssl-ed076de2ca00e678a9586c8021b86a2bbe1bff0f.zip | |
Merge pull request #469 from sfackler/hostname
Support hostname verification
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/mod.rs | 12 | ||||
| -rw-r--r-- | openssl/src/ssl/tests/mod.rs | 44 |
2 files changed, 56 insertions, 0 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 0bd3272b..b042d81e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,6 +22,8 @@ use ffi; use init; use dh::DH; use x509::{X509StoreContext, X509FileType, X509, X509Ref}; +#[cfg(feature = "openssl-102")] +use x509::verify::X509VerifyParamRef; use crypto::pkey::PKey; use error::ErrorStack; @@ -988,6 +990,16 @@ impl<'a> SslRef<'a> { SslContextRef::from_ptr(ssl_ctx) } } + + /// Returns the X509 verification configuration. + /// + /// Requires the `openssl-102` feature. + #[cfg(feature = "openssl-102")] + pub fn param(&mut self) -> X509VerifyParamRef<'a> { + unsafe { + X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr())) + } + } } pub struct Ssl(SslRef<'static>); diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index f86895e5..b3500105 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -21,9 +21,13 @@ use ssl::SslMethod::Tls; use ssl::{SslMethod, HandshakeError}; use ssl::error::Error; use ssl::{SslContext, SslStream}; +#[cfg(feature = "openssl-102")] +use ssl::IntoSsl; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; +#[cfg(feature = "openssl-102")] +use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use crypto::pkey::PKey; use std::net::UdpSocket; @@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() { let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); ctx.add_extra_chain_cert(&cert).unwrap(); } + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-102")] +fn valid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("google.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + let mut socket = SslStream::connect(ssl, s).unwrap(); + + socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); + let mut result = vec![]; + socket.read_to_end(&mut result).unwrap(); + + println!("{}", String::from_utf8_lossy(&result)); + assert!(result.starts_with(b"HTTP/1.0")); + assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>")); +} + +#[test] +#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :( +#[cfg(feature = "openssl-102")] +fn invalid_hostname() { + let mut ctx = SslContext::new(SslMethod::Tls).unwrap(); + ctx.set_default_verify_paths().unwrap(); + ctx.set_verify(SSL_VERIFY_PEER); + + let mut ssl = ctx.into_ssl().unwrap(); + ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + ssl.param().set_host("foobar.com").unwrap(); + + let s = TcpStream::connect("google.com:443").unwrap(); + assert!(SslStream::connect(ssl, s).is_err()); +} |