Support hostname verification

Closes #206

4 files changed, 100 insertions, 0 deletions

diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 0bd3272b..a3c35f3a 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -22,6 +22,8 @@ use ffi;
 use init;
 use dh::DH;
 use x509::{X509StoreContext, X509FileType, X509, X509Ref};
+#[cfg(feature = "openssl-110")]
+use x509::verify::X509VerifyParamRef;
 use crypto::pkey::PKey;
 use error::ErrorStack;
 
@@ -988,6 +990,16 @@ impl<'a> SslRef<'a> {
             SslContextRef::from_ptr(ssl_ctx)
         }
     }
+
+    /// Returns the X509 verification configuration.
+    ///
+    /// Requires the `openssl-110` feature.
+    #[cfg(feature = "openssl-110")]
+    pub fn param(&mut self) -> X509VerifyParamRef<'a> {
+        unsafe {
+            X509VerifyParamRef::from_ptr(ffi::SSL_get0_param(self.as_ptr()))
+        }
+    }
 }
 
 pub struct Ssl(SslRef<'static>);
diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index f86895e5..6dba713f 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -21,9 +21,13 @@ use ssl::SslMethod::Tls;
 use ssl::{SslMethod, HandshakeError};
 use ssl::error::Error;
 use ssl::{SslContext, SslStream};
+#[cfg(feature = "openssl-110")]
+use ssl::IntoSsl;
 use x509::X509StoreContext;
 use x509::X509FileType;
 use x509::X509;
+#[cfg(feature = "openssl-110")]
+use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
 use crypto::pkey::PKey;
 
 use std::net::UdpSocket;
@@ -1042,3 +1046,43 @@ fn add_extra_chain_cert() {
     let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
     ctx.add_extra_chain_cert(&cert).unwrap();
 }
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-110")]
+fn valid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("google.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    let mut socket = SslStream::connect(ssl, s).unwrap();
+
+    socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
+    let mut result = vec![];
+    socket.read_to_end(&mut result).unwrap();
+
+    println!("{}", String::from_utf8_lossy(&result));
+    assert!(result.starts_with(b"HTTP/1.0"));
+    assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
+#[test]
+#[cfg_attr(windows, ignore)] // don't have a trusted CA list easily available :(
+#[cfg(feature = "openssl-110")]
+fn invalid_hostname() {
+    let mut ctx = SslContext::new(SslMethod::Tls).unwrap();
+    ctx.set_default_verify_paths().unwrap();
+    ctx.set_verify(SSL_VERIFY_PEER);
+
+    let mut ssl = ctx.into_ssl().unwrap();
+    ssl.param().set_hostflags(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+    ssl.param().set_host("foobar.com").unwrap();
+
+    let s = TcpStream::connect("google.com:443").unwrap();
+    assert!(SslStream::connect(ssl, s).is_err());
+}
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 086342dd..5b65e866 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -38,6 +38,9 @@ use ffi::{
 
 pub mod extension;
 
+#[cfg(feature = "openssl-110")]
+pub mod verify;
+
 use self::extension::{ExtensionType, Extension};
 
 #[cfg(test)]
diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs
new file mode 100644
index 00000000..683836e8
--- /dev/null
+++ b/openssl/src/x509/verify.rs
@@ -0,0 +1,41 @@
+use std::marker::PhantomData;
+use libc::c_uint;
+use ffi;
+
+use error::ErrorStack;
+
+bitflags! {
+    pub flags X509CheckFlags: c_uint {
+        const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
+        const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS,
+        const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
+        const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS,
+        const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+            = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+        const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
+    }
+}
+
+pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>);
+
+impl<'a> X509VerifyParamRef<'a> {
+    pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> {
+        X509VerifyParamRef(ptr, PhantomData)
+    }
+
+    pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
+        unsafe {
+            ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits);
+        }
+    }
+
+    pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
+        unsafe {
+            try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0,
+                                                      host.as_ptr() as *const _,
+                                                      host.len()))
+        }
+
+        Ok(())
+    }
+}