diff options
| author | Chris Cole <[email protected]> | 2014-11-29 19:47:09 -0500 |
|---|---|---|
| committer | Chris Cole <[email protected]> | 2014-11-29 19:47:09 -0500 |
| commit | 5f76f1cb62c70af4bbf064ea5c27c69544f04cea (patch) | |
| tree | 6c90d43f6bfdf1b2b83094c1bfc559bfbdecf554 /src/ssl | |
| parent | Added mod_mul. (diff) | |
| parent | Make SslStream Cloneable (diff) | |
| download | rust-openssl-5f76f1cb62c70af4bbf064ea5c27c69544f04cea.tar.xz rust-openssl-5f76f1cb62c70af4bbf064ea5c27c69544f04cea.zip | |
Merge remote-tracking branch 'upstream/master'
Conflicts:
src/bn/mod.rs
Diffstat (limited to 'src/ssl')
| -rw-r--r-- | src/ssl/error.rs | 78 | ||||
| -rwxr-xr-x | src/ssl/ffi.rs | 192 | ||||
| -rw-r--r-- | src/ssl/mod.rs | 526 | ||||
| -rw-r--r-- | src/ssl/tests.rs | 104 |
4 files changed, 386 insertions, 514 deletions
diff --git a/src/ssl/error.rs b/src/ssl/error.rs index 9af14dd9..7e8daef1 100644 --- a/src/ssl/error.rs +++ b/src/ssl/error.rs @@ -1,12 +1,17 @@ +pub use self::SslError::*; +pub use self::OpensslError::*; + use libc::c_ulong; +use std::error; use std::io::IoError; +use std::c_str::CString; -use ssl::ffi; +use ffi; /// An SSL error #[deriving(Show, Clone, PartialEq, Eq)] pub enum SslError { - /// The underlying stream has reported an error + /// The underlying stream reported an error StreamError(IoError), /// The SSL session has been closed by the other end SslSessionClosed, @@ -14,30 +19,47 @@ pub enum SslError { OpenSslErrors(Vec<OpensslError>) } +impl error::Error for SslError { + fn description(&self) -> &str { + match *self { + StreamError(_) => "The underlying stream reported an error", + SslSessionClosed => "The SSL session has been closed by the other end", + OpenSslErrors(_) => "An error in the OpenSSL library", + } + } + + fn cause(&self) -> Option<&error::Error> { + match *self { + StreamError(ref err) => Some(err as &error::Error), + _ => None + } + } +} + /// An error from the OpenSSL library #[deriving(Show, Clone, PartialEq, Eq)] pub enum OpensslError { /// An unknown error UnknownError { /// The library reporting the error - library: u8, + library: String, /// The function reporting the error - function: u16, + function: String, /// The reason for the error - reason: u16 + reason: String } } -fn get_lib(err: c_ulong) -> u8 { - ((err >> 24) & 0xff) as u8 +fn get_lib(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_lib_error_string(err), false) }.to_string() } -fn get_func(err: c_ulong) -> u16 { - ((err >> 12) & 0xfff) as u16 +fn get_func(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_func_error_string(err), false).to_string() } } -fn get_reason(err: c_ulong) -> u16 { - (err & 0xfff) as u16 +fn get_reason(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_reason_error_string(err), false).to_string() } } impl SslError { @@ -48,13 +70,37 @@ impl SslError { loop { match unsafe { ffi::ERR_get_error() } { 0 => break, - err => errs.push(UnknownError { - library: get_lib(err), - function: get_func(err), - reason: get_reason(err) - }) + err => errs.push(SslError::from_error_code(err)) } } OpenSslErrors(errs) } + + /// Creates an `SslError` from the raw numeric error code. + pub fn from_error(err: c_ulong) -> SslError { + OpenSslErrors(vec![SslError::from_error_code(err)]) + } + + fn from_error_code(err: c_ulong) -> OpensslError { + ffi::init(); + UnknownError { + library: get_lib(err), + function: get_func(err), + reason: get_reason(err) + } + } +} + +#[test] +fn test_uknown_error_should_have_correct_messages() { + let errs = match SslError::from_error(336032784) { + OpenSslErrors(errs) => errs, + _ => panic!("This should always be an `OpenSslErrors` variant.") + }; + + let UnknownError { ref library, ref function, ref reason } = errs[0]; + + assert_eq!(library.as_slice(),"SSL routines"); + assert_eq!(function.as_slice(), "SSL23_GET_SERVER_HELLO"); + assert_eq!(reason.as_slice(), "sslv3 alert handshake failure"); } diff --git a/src/ssl/ffi.rs b/src/ssl/ffi.rs deleted file mode 100755 index a40af35e..00000000 --- a/src/ssl/ffi.rs +++ /dev/null @@ -1,192 +0,0 @@ -#![allow(non_camel_case_types)] - -use libc::{c_int, c_void, c_long, c_ulong, c_char, c_uint}; -use crypto::hash::{EVP_MD}; - -pub type SSL_CTX = c_void; -pub type SSL_METHOD = c_void; -pub type COMP_METHOD = c_void; -pub type SSL = c_void; -pub type BIO = c_void; -pub type BIO_METHOD = c_void; -pub type X509_STORE_CTX = c_void; -pub type X509 = c_void; -pub type X509_NAME = c_void; -pub type CRYPTO_EX_DATA = c_void; - -pub type CRYPTO_EX_new = extern "C" fn(parent: *mut c_void, ptr: *mut c_void, - ad: *const CRYPTO_EX_DATA, idx: c_int, - argl: c_long, argp: *const c_void) -> c_int; -pub type CRYPTO_EX_dup = extern "C" fn(to: *mut CRYPTO_EX_DATA, - from: *mut CRYPTO_EX_DATA, from_d: *mut c_void, - idx: c_int, argl: c_long, argp: *mut c_void) - -> c_int; -pub type CRYPTO_EX_free = extern "C" fn(parent: *mut c_void, ptr: *mut c_void, - ad: *mut CRYPTO_EX_DATA, idx: c_int, - argl: c_long, argp: *mut c_void); - -pub static CRYPTO_LOCK: c_int = 1; - -pub static SSL_ERROR_NONE: c_int = 0; -pub static SSL_ERROR_SSL: c_int = 1; -pub static SSL_ERROR_WANT_READ: c_int = 2; -pub static SSL_ERROR_WANT_WRITE: c_int = 3; -pub static SSL_ERROR_WANT_X509_LOOKUP: c_int = 4; -pub static SSL_ERROR_SYSCALL: c_int = 5; -pub static SSL_ERROR_ZERO_RETURN: c_int = 6; -pub static SSL_ERROR_WANT_CONNECT: c_int = 7; -pub static SSL_ERROR_WANT_ACCEPT: c_int = 8; - -pub static SSL_VERIFY_NONE: c_int = 0; -pub static SSL_VERIFY_PEER: c_int = 1; - -pub static SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55; - -pub static TLSEXT_NAMETYPE_host_name: c_long = 0; - -pub static X509_V_OK: c_int = 0; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; -pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; -pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; -pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; -pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; -pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; -pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; -pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; -pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; -pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; -pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; -pub static X509_V_ERR_OUT_OF_MEM: c_int = 17; -pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; -pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; -pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; -pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; -pub static X509_V_ERR_CERT_REVOKED: c_int = 23; -pub static X509_V_ERR_INVALID_CA: c_int = 24; -pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; -pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26; -pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27; -pub static X509_V_ERR_CERT_REJECTED: c_int = 28; -pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; -pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; -pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; -pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; -pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; -pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; -pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; -pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; -pub static X509_V_ERR_INVALID_NON_CA: c_int = 37; -pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; -pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; -pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; -pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41; -pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; -pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; -pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; -pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; -pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; -pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; -pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; -pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; -pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; -pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; -pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; - -pub static X509_FILETYPE_PEM: c_int = 1; -pub static X509_FILETYPE_ASN1: c_int = 2; -pub static X509_FILETYPE_DEFAULT: c_int = 3; - -#[cfg(target_os = "macos", feature = "tlsv1_1")] -#[cfg(target_os = "macos", feature = "tlsv1_2")] -#[link(name="ssl.1.0.0")] -#[link(name="crypto.1.0.0")] -extern {} - -#[cfg(not(target_os = "macos"))] -#[cfg(target_os = "macos", not(feature = "tlsv1_1"), not(feature = "tlsv1_2"))] -#[link(name="ssl")] -#[link(name="crypto")] -extern {} - -extern "C" { - pub fn CRYPTO_num_locks() -> c_int; - pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int, - n: c_int, - file: *const c_char, - line: c_int)); - - pub fn ERR_get_error() -> c_ulong; - - pub fn SSL_library_init() -> c_int; - - #[cfg(feature = "sslv2")] - pub fn SSLv2_method() -> *const SSL_METHOD; - pub fn SSLv3_method() -> *const SSL_METHOD; - pub fn TLSv1_method() -> *const SSL_METHOD; - #[cfg(feature = "tlsv1_1")] - pub fn TLSv1_1_method() -> *const SSL_METHOD; - #[cfg(feature = "tlsv1_2")] - pub fn TLSv1_2_method() -> *const SSL_METHOD; - pub fn SSLv23_method() -> *const SSL_METHOD; - - pub fn SSL_CTX_new(method: *const SSL_METHOD) -> *mut SSL_CTX; - pub fn SSL_CTX_free(ctx: *mut SSL_CTX); - pub fn SSL_CTX_set_verify(ctx: *mut SSL_CTX, mode: c_int, - verify_callback: Option<extern fn(c_int, *mut X509_STORE_CTX) -> c_int>); - pub fn SSL_CTX_load_verify_locations(ctx: *mut SSL_CTX, CAfile: *const c_char, - CApath: *const c_char) -> c_int; - pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *const c_void, - new_func: Option<CRYPTO_EX_new>, - dup_func: Option<CRYPTO_EX_dup>, - free_func: Option<CRYPTO_EX_free>) - -> c_int; - pub fn SSL_CTX_set_ex_data(ctx: *mut SSL_CTX, idx: c_int, data: *mut c_void) - -> c_int; - pub fn SSL_CTX_get_ex_data(ctx: *mut SSL_CTX, idx: c_int) -> *mut c_void; - - pub fn SSL_CTX_use_certificate_file(ctx: *mut SSL_CTX, cert_file: *const c_char, file_type: c_int) -> c_int; - pub fn SSL_CTX_use_PrivateKey_file(ctx: *mut SSL_CTX, key_file: *const c_char, file_type: c_int) -> c_int; - - pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) - -> *mut c_void; - pub fn X509_STORE_CTX_get_current_cert(ct: *mut X509_STORE_CTX) -> *mut X509; - pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; - - pub fn X509_get_subject_name(x: *mut X509) -> *mut X509_NAME; - pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; - - pub fn SSL_new(ctx: *mut SSL_CTX) -> *mut SSL; - pub fn SSL_free(ssl: *mut SSL); - pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO); - pub fn SSL_get_rbio(ssl: *mut SSL) -> *mut BIO; - pub fn SSL_get_wbio(ssl: *mut SSL) -> *mut BIO; - pub fn SSL_connect(ssl: *mut SSL) -> c_int; - pub fn SSL_ctrl(ssl: *mut SSL, cmd: c_int, larg: c_long, - parg: *mut c_void) -> c_long; - pub fn SSL_get_error(ssl: *mut SSL, ret: c_int) -> c_int; - pub fn SSL_read(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int; - pub fn SSL_write(ssl: *mut SSL, buf: *const c_void, num: c_int) -> c_int; - pub fn SSL_get_ex_data_X509_STORE_CTX_idx() -> c_int; - pub fn SSL_get_SSL_CTX(ssl: *mut SSL) -> *mut SSL_CTX; - pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD; - - pub fn BIO_s_mem() -> *const BIO_METHOD; - pub fn BIO_new(type_: *const BIO_METHOD) -> *mut BIO; - pub fn BIO_free_all(a: *mut BIO); - pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; - pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; - - pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char; -} - -#[cfg(target_os = "win32")] -#[link(name="gdi32")] -#[link(name="wsock32")] -extern { } diff --git a/src/ssl/mod.rs b/src/ssl/mod.rs index fc775a32..d29d633e 100644 --- a/src/ssl/mod.rs +++ b/src/ssl/mod.rs @@ -1,47 +1,31 @@ -use libc::{c_int, c_uint, c_void, c_char}; +use libc::{c_int, c_void, c_long}; use std::io::{IoResult, IoError, EndOfFile, Stream, Reader, Writer}; use std::mem; use std::ptr; -use std::rt::mutex::NativeMutex; -use std::string; -use sync::one::{Once, ONCE_INIT}; +use std::sync::{Once, ONCE_INIT, Arc}; -use crypto::hash::{HashType, evpmd}; +use bio::{MemBio}; +use ffi; use ssl::error::{SslError, SslSessionClosed, StreamError}; +use x509::{X509StoreContext, X509FileType, X509}; pub mod error; -mod ffi; #[cfg(test)] mod tests; static mut VERIFY_IDX: c_int = -1; -static mut MUTEXES: *mut Vec<NativeMutex> = 0 as *mut Vec<NativeMutex>; - -macro_rules! try_ssl( - ($e:expr) => ( - match $e { - Ok(ok) => ok, - Err(err) => return Err(StreamError(err)) - } - ) -) fn init() { static mut INIT: Once = ONCE_INIT; unsafe { INIT.doit(|| { - ffi::SSL_library_init(); + ffi::init(); + let verify_idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, None); assert!(verify_idx >= 0); VERIFY_IDX = verify_idx; - - let num_locks = ffi::CRYPTO_num_locks(); - let mutexes = box Vec::from_fn(num_locks as uint, |_| NativeMutex::new()); - MUTEXES = mem::transmute(mutexes); - - ffi::CRYPTO_set_locking_callback(locking_function); }); } } @@ -51,17 +35,19 @@ fn init() { #[allow(non_camel_case_types)] pub enum SslMethod { #[cfg(feature = "sslv2")] - /// Only support the SSLv2 protocol + /// Only support the SSLv2 protocol, requires `feature="sslv2"` Sslv2, + /// Support the SSLv2, SSLv3 and TLSv1 protocols + Sslv23, /// Only support the SSLv3 protocol Sslv3, /// Only support the TLSv1 protocol Tlsv1, - /// Support the SSLv2, SSLv3 and TLSv1 protocols - Sslv23, #[cfg(feature = "tlsv1_1")] + /// Support TLSv1.1 protocol, requires `feature="tlsv1_1"` Tlsv1_1, #[cfg(feature = "tlsv1_2")] + /// Support TLSv1.2 protocol, requires `feature="tlsv1_2"` Tlsv1_2, } @@ -69,14 +55,14 @@ impl SslMethod { unsafe fn to_raw(&self) -> *const ffi::SSL_METHOD { match *self { #[cfg(feature = "sslv2")] - Sslv2 => ffi::SSLv2_method(), - Sslv3 => ffi::SSLv3_method(), - Tlsv1 => ffi::TLSv1_method(), - Sslv23 => ffi::SSLv23_method(), + SslMethod::Sslv2 => ffi::SSLv2_method(), + SslMethod::Sslv3 => ffi::SSLv3_method(), + SslMethod::Tlsv1 => ffi::TLSv1_method(), + SslMethod::Sslv23 => ffi::SSLv23_method(), #[cfg(feature = "tlsv1_1")] - Tlsv1_1 => ffi::TLSv1_1_method(), + SslMethod::Tlsv1_1 => ffi::TLSv1_1_method(), #[cfg(feature = "tlsv1_2")] - Tlsv1_2 => ffi::TLSv1_2_method() + SslMethod::Tlsv1_2 => ffi::TLSv1_2_method() } } } @@ -90,16 +76,27 @@ pub enum SslVerifyMode { SslVerifyNone = ffi::SSL_VERIFY_NONE } -extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char, - _line: c_int) { - unsafe { - let mutex = (*MUTEXES).get_mut(n as uint); +// Creates a static index for user data of type T +// Registers a destructor for the data which will be called +// when context is freed +fn get_verify_data_idx<T>() -> c_int { + static mut VERIFY_DATA_IDX: c_int = -1; + static mut INIT: Once = ONCE_INIT; - if mode & ffi::CRYPTO_LOCK != 0 { - mutex.lock_noguard(); - } else { - mutex.unlock_noguard(); - } + extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, + _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, + _argl: c_long, _argp: *mut c_void) { + let _: Box<T> = unsafe { mem::transmute(ptr) }; + } + + unsafe { + INIT.doit(|| { + let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, + None, Some(free_data_box::<T>)); + assert!(idx >= 0); + VERIFY_DATA_IDX = idx; + }); + VERIFY_DATA_IDX } } @@ -112,7 +109,7 @@ extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, VERIFY_IDX); let verify: Option<VerifyCallback> = mem::transmute(verify); - let ctx = X509StoreContext { ctx: x509_ctx }; + let ctx = X509StoreContext::new(x509_ctx); match verify { None => preverify_ok, @@ -121,16 +118,44 @@ extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) } } +extern fn raw_verify_with_data<T>(preverify_ok: c_int, + x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int { + unsafe { + let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); + let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + + let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, VERIFY_IDX); + let verify: Option<VerifyCallbackData<T>> = mem::transmute(verify); + + let data = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_verify_data_idx::<T>()); + let data: Box<T> = mem::transmute(data); + + let ctx = X509StoreContext::new(x509_ctx); + + let res = match verify { + None => preverify_ok, + Some(verify) => verify(preverify_ok != 0, &ctx, &*data) as c_int + }; + + // Since data might be required on the next verification + // it is time to forget about it and avoid dropping + // data will be freed once OpenSSL considers it is time + // to free all context data + mem::forget(data); + res + } +} + /// The signature of functions that can be used to manually verify certificates pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; -#[repr(i32)] -pub enum X509FileType { - PEM = ffi::X509_FILETYPE_PEM, - ASN1 = ffi::X509_FILETYPE_ASN1, - Default = ffi::X509_FILETYPE_DEFAULT -} +/// The signature of functions that can be used to manually verify certificates +/// when user-data should be carried for all verification process +pub type VerifyCallbackData<T> = fn(preverify_ok: bool, + x509_ctx: &X509StoreContext, + data: &T) -> bool; // FIXME: macro may be instead of inlining? #[inline] @@ -176,9 +201,33 @@ impl SslContext { } } + /// Configures the certificate verification method for new connections also + /// carrying supplied data. + // Note: no option because there is no point to set data without providing + // a function handling it + pub fn set_verify_with_data<T>(&mut self, mode: SslVerifyMode, + verify: VerifyCallbackData<T>, + data: T) { + let data = box data; + unsafe { + ffi::SSL_CTX_set_ex_data(self.ctx, VERIFY_IDX, + mem::transmute(Some(verify))); + ffi::SSL_CTX_set_ex_data(self.ctx, get_verify_data_idx::<T>(), + mem::transmute(data)); + ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(raw_verify_with_data::<T>)); + } + } + + /// Sets verification depth + pub fn set_verify_depth(&mut self, depth: uint) { + unsafe { + ffi::SSL_CTX_set_verify_depth(self.ctx, depth as c_int); + } + } + #[allow(non_snake_case)] /// Specifies the file that contains trusted CA certificates. - pub fn set_CA_file(&mut self, file: &str) -> Option<SslError> { + pub fn set_CA_file(&mut self, file: &Path) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { ffi::SSL_CTX_load_verify_locations(self.ctx, file, ptr::null()) @@ -186,8 +235,8 @@ impl SslContext { })) } - /// Specifies the file that is client certificate - pub fn set_certificate_file(&mut self, file: &str, + /// Specifies the file that contains certificate + pub fn set_certificate_file(&mut self, file: &Path, file_type: X509FileType) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { @@ -196,8 +245,8 @@ impl SslContext { })) } - /// Specifies the file that is client private key - pub fn set_private_key_file(&mut self, file: &str, + /// Specifies the file that contains private key + pub fn set_private_key_file(&mut self, file: &Path, file_type: X509FileType) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { @@ -205,148 +254,32 @@ impl SslContext { } })) } -} - -pub struct X509StoreContext { - ctx: *mut ffi::X509_STORE_CTX -} -impl X509StoreContext { - pub fn get_error(&self) -> Option<X509ValidationError> { - let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; - X509ValidationError::from_raw(err) - } - - pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> { - let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; - - if ptr.is_null() { - None - } else { - Some(X509 { ctx: self, x509: ptr }) - } + pub fn set_cipher_list(&mut self, cipher_list: &str) -> Option<SslError> { + wrap_ssl_result(cipher_list.with_c_str(|cipher_list| { + unsafe { + ffi::SSL_CTX_set_cipher_list(self.ctx, cipher_list) + } + })) } } #[allow(dead_code)] -/// A public key certificate -pub struct X509<'ctx> { - ctx: &'ctx X509StoreContext, - x509: *mut ffi::X509 +struct MemBioRef<'ssl> { + ssl: &'ssl Ssl, + bio: MemBio, } -impl<'ctx> X509<'ctx> { - pub fn subject_name<'a>(&'a self) -> X509Name<'a> { - let name = unsafe { ffi::X509_get_subject_name(self.x509) }; - X509Name { x509: self, name: name } +impl<'ssl> MemBioRef<'ssl> { + fn read(&mut self, buf: &mut [u8]) -> Option<uint> { + (&mut self.bio as &mut Reader).read(buf).ok() } - /// Returns certificate fingerprint calculated using provided hash - pub fn fingerprint(&self, hash_type: HashType) -> Option<Vec<u8>> { - let (evp, len) = evpmd(hash_type); - let v: Vec<u8> = Vec::from_elem(len, 0); - let act_len: c_uint = 0; - let res = unsafe { - ffi::X509_digest(self.x509, evp, mem::transmute(v.as_ptr()), - mem::transmute(&act_len)) - }; - - match res { - 0 => None, - _ => { - let act_len = act_len as uint; - match len.cmp(&act_len) { - Greater => None, - Equal => Some(v), - Less => fail!("Fingerprint buffer was corrupted!") - } - } - } + fn write(&mut self, buf: &[u8]) { + let _ = (&mut self.bio as &mut Writer).write(buf); } } -#[allow(dead_code)] -pub struct X509Name<'x> { - x509: &'x X509<'x>, - name: *mut ffi::X509_NAME -} - -macro_rules! make_validation_error( - ($ok_val:ident, $($name:ident = $val:ident,)+) => ( - pub enum X509ValidationError { - $($name,)+ - X509UnknownError(c_int) - } - - impl X509ValidationError { - #[doc(hidden)] - pub fn from_raw(err: c_int) -> Option<X509ValidationError> { - match err { - self::ffi::$ok_val => None, - $(self::ffi::$val => Some($name),)+ - err => Some(X509UnknownError(err)) - } - } - } - ) -) - -make_validation_error!(X509_V_OK, - X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, - X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, - X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, - X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, - X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, - X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, - X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, - X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, - X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, - X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, - X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, - X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, - X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, - X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, - X509OutOfMem = X509_V_ERR_OUT_OF_MEM, - X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, - X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, - X509CertRevoked = X509_V_ERR_CERT_REVOKED, - X509InvalidCA = X509_V_ERR_INVALID_CA, - X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, - X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, - X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, - X509CertRejected = X509_V_ERR_CERT_REJECTED, - X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, - X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, - X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, - X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, - X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, - X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, - X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, - X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, - X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, - X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, - X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, - X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, - X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, - X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, - X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, - X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, - X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, - X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, - X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, - X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, - X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, - X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, - X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, - X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, - X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, - X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, -) - pub struct Ssl { ssl: *mut ffi::SSL } @@ -365,18 +298,10 @@ impl Ssl { } let ssl = Ssl { ssl: ssl }; - let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if rbio == ptr::null_mut() { - return Err(SslError::get()); - } - - let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if wbio == ptr::null_mut() { - unsafe { ffi::BIO_free_all(rbio) } - return Err(SslError::get()); - } + let rbio = try!(MemBio::new()); + let wbio = try!(MemBio::new()); - unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) } + unsafe { ffi::SSL_set_bio(ssl.ssl, rbio.unwrap(), wbio.unwrap()) } Ok(ssl) } @@ -389,13 +314,10 @@ impl Ssl { } fn wrap_bio<'a>(&'a self, bio: *mut ffi::BIO) -> MemBioRef<'a> { - assert!(bio != ptr::mut_null()); + assert!(bio != ptr::null_mut()); MemBioRef { ssl: self, - bio: MemBio { - bio: bio, - owned: false - } + bio: MemBio::borrowed(bio) } } @@ -403,6 +325,10 @@ impl Ssl { unsafe { ffi::SSL_connect(self.ssl) } } + fn accept(&self) -> c_int { + unsafe { ffi::SSL_accept(self.ssl) } + } + fn read(&self, buf: &mut [u8]) -> c_int { unsafe { ffi::SSL_read(self.ssl, buf.as_ptr() as *mut c_void, buf.len() as c_int) } @@ -443,6 +369,17 @@ impl Ssl { } } + pub fn get_peer_certificate(&self) -> Option<X509> { + unsafe { + let ptr = ffi::SSL_get_peer_certificate(self.ssl); + if ptr.is_null() { + None + } else { + Some(X509::new(ptr, true)) + } + } + } + } #[deriving(FromPrimitive)] @@ -459,110 +396,90 @@ enum LibSslError { ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT, } -#[allow(dead_code)] -struct MemBioRef<'ssl> { - ssl: &'ssl Ssl, - bio: MemBio, -} - -impl<'ssl> MemBioRef<'ssl> { - fn read(&self, buf: &mut [u8]) -> Option<uint> { - self.bio.read(buf) - } - - fn write(&self, buf: &[u8]) { - self.bio.write(buf) - } -} - -struct MemBio { - bio: *mut ffi::BIO, - owned: bool -} - -impl Drop for MemBio { - fn drop(&mut self) { - if self.owned { - unsafe { - ffi::BIO_free_all(self.bio); - } - } - } -} - -impl MemBio { - fn read(&self, buf: &mut [u8]) -> Option<uint> { - let ret = unsafe { - ffi::BIO_read(self.bio, buf.as_ptr() as *mut c_void, - buf.len() as c_int) - }; - - if ret < 0 { - None - } else { - Some(ret as uint) - } - } - - fn write(&self, buf: &[u8]) { - let ret = unsafe { - ffi::BIO_write(self.bio, buf.as_ptr() as *const c_void, - buf.len() as c_int) - }; - assert_eq!(buf.len(), ret as uint); - } -} - /// A stream wrapper which handles SSL encryption for an underlying stream. +#[deriving(Clone)] pub struct SslStream<S> { stream: S, - ssl: Ssl, + ssl: Arc<Ssl>, buf: Vec<u8> } impl<S: Stream> SslStream<S> { - /// Attempts to create a new SSL stream from a given `Ssl` instance. - pub fn new_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { - let mut ssl = SslStream { + fn new_base(ssl:Ssl, stream: S) -> SslStream<S> { + SslStream { stream: stream, - ssl: ssl, + ssl: Arc::new(ssl), // Maximum TLS record size is 16k buf: Vec::from_elem(16 * 1024, 0u8) - }; - - match ssl.in_retry_wrapper(|ssl| { ssl.connect() }) { - Ok(_) => Ok(ssl), - Err(err) => Err(err) } } + pub fn new_server_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { + let mut ssl = SslStream::new_base(ssl, stream); + ssl.in_retry_wrapper(|ssl| { ssl.accept() }).and(Ok(ssl)) + } + + /// Attempts to create a new SSL stream from a given `Ssl` instance. + pub fn new_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { + let mut ssl = SslStream::new_base(ssl, stream); + ssl.in_retry_wrapper(|ssl| { ssl.connect() }).and(Ok(ssl)) + } + /// Creates a new SSL stream pub fn new(ctx: &SslContext, stream: S) -> Result<SslStream<S>, SslError> { - let ssl = match Ssl::new(ctx) { - Ok(ssl) => ssl, - Err(err) => return Err(err) - }; - + let ssl = try!(Ssl::new(ctx)); SslStream::new_from(ssl, stream) } + /// Creates a new SSL server stream + pub fn new_server(ctx: &SslContext, stream: S) -> Result<SslStream<S>, SslError> { + let ssl = try!(Ssl::new(ctx)); + SslStream::new_server_from(ssl, stream) + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// `read`ing or `write`ing directly to the underlying stream will most + /// likely desynchronize the SSL session. + #[deprecated="use get_mut instead"] + pub fn get_inner(&mut self) -> &mut S { + self.get_mut() + } + + /// Returns a reference to the underlying stream. + pub fn get_ref(&self) -> &S { + &self.stream + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// It is inadvisable to read from or write to the underlying stream as it + /// will most likely desynchronize the SSL session. + pub fn get_mut(&mut self) -> &mut S { + &mut self.stream + } + fn in_retry_wrapper(&mut self, blk: |&Ssl| -> c_int) -> Result<c_int, SslError> { loop { - let ret = blk(&self.ssl); + let ret = blk(&*self.ssl); if ret > 0 { return Ok(ret); } match self.ssl.get_error(ret) { - ErrorWantRead => { - try_ssl!(self.flush()); - let len = try_ssl!(self.stream.read(self.buf.as_mut_slice())); + LibSslError::ErrorWantRead => { + try_ssl_stream!(self.flush()); + let len = try_ssl_stream!(self.stream.read(self.buf.as_mut_slice())); self.ssl.get_rbio().write(self.buf.slice_to(len)); } - ErrorWantWrite => { try_ssl!(self.flush()) } - ErrorZeroReturn => return Err(SslSessionClosed), - ErrorSsl => return Err(SslError::get()), + LibSslError::ErrorWantWrite => { try_ssl_stream!(self.flush()) } + LibSslError::ErrorZeroReturn => return Err(SslSessionClosed), + LibSslError::ErrorSsl => return Err(SslError::get()), _ => unreachable!() } } @@ -588,7 +505,7 @@ impl<S: Stream> SslStream<S> { } let meth = unsafe { ffi::SSL_COMP_get_name(ptr) }; - let s = unsafe { string::raw::from_buf(meth as *const u8) }; + let s = unsafe { String::from_raw_buf(meth as *const u8) }; Some(s) } @@ -615,7 +532,7 @@ impl<S: Stream> Writer for SslStream<S> { let mut start = 0; while start < buf.len() { let ret = self.in_retry_wrapper(|ssl| { - ssl.write(buf.slice_from(start)) + ssl.write(buf.split_at(start).val1()) }); match ret { Ok(len) => start += len as uint, @@ -631,3 +548,58 @@ impl<S: Stream> Writer for SslStream<S> { self.stream.flush() } } + +/// A utility type to help in cases where the use of SSL is decided at runtime. +pub enum MaybeSslStream<S> where S: Stream { + /// A connection using SSL + Ssl(SslStream<S>), + /// A connection not using SSL + Normal(S), +} + +impl<S> Reader for MaybeSslStream<S> where S: Stream { + fn read(&mut self, buf: &mut [u8]) -> IoResult<uint> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.read(buf), + MaybeSslStream::Normal(ref mut s) => s.read(buf), + } + } +} + +impl<S> Writer for MaybeSslStream<S> where S: Stream{ + fn write(&mut self, buf: &[u8]) -> IoResult<()> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.write(buf), + MaybeSslStream::Normal(ref mut s) => s.write(buf), + } + } + + fn flush(&mut self) -> IoResult<()> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.flush(), + MaybeSslStream::Normal(ref mut s) => s.flush(), + } + } +} + +impl<S> MaybeSslStream<S> where S: Stream { + /// Returns a reference to the underlying stream. + pub fn get_ref(&self) -> &S { + match *self { + MaybeSslStream::Ssl(ref s) => s.get_ref(), + MaybeSslStream::Normal(ref s) => s, + } + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// It is inadvisable to read from or write to the underlying stream. + pub fn get_mut(&mut self) -> &mut S { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.get_mut(), + MaybeSslStream::Normal(ref mut s) => s, + } + } +} diff --git a/src/ssl/tests.rs b/src/ssl/tests.rs index 99241719..e4414f84 100644 --- a/src/ssl/tests.rs +++ b/src/ssl/tests.rs @@ -1,8 +1,12 @@ -use std::io::Writer; +use serialize::hex::FromHex; +use std::io::{Writer}; use std::io::net::tcp::TcpStream; -use std::str; -use ssl::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext}; +use crypto::hash::HashType::{SHA256}; +use ssl::SslMethod::Sslv23; +use ssl::{SslContext, SslStream}; +use ssl::SslVerifyMode::SslVerifyPeer; +use x509::{X509StoreContext}; #[test] fn test_new_ctx() { @@ -11,33 +15,33 @@ fn test_new_ctx() { #[test] fn test_new_sslstream() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); } #[test] fn test_verify_untrusted() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, None); match SslStream::new(&ctx, stream) { - Ok(_) => fail!("expected failure"), + Ok(_) => panic!("expected failure"), Err(err) => println!("error {}", err) } } #[test] fn test_verify_trusted() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, None); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -46,12 +50,12 @@ fn test_verify_untrusted_callback_override_ok() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -60,7 +64,7 @@ fn test_verify_untrusted_callback_override_bad() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_err()); @@ -71,16 +75,16 @@ fn test_verify_trusted_callback_override_ok() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -89,12 +93,12 @@ fn test_verify_trusted_callback_override_bad() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } assert!(SslStream::new(&ctx, stream).is_err()); } @@ -105,7 +109,7 @@ fn test_verify_callback_load_certs() { assert!(x509_ctx.get_current_cert().is_some()); true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_ok()); @@ -117,12 +121,12 @@ fn test_verify_trusted_get_error_ok() { assert!(x509_ctx.get_error().is_none()); true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } assert!(SslStream::new(&ctx, stream).is_ok()); } @@ -133,15 +137,46 @@ fn test_verify_trusted_get_error_err() { assert!(x509_ctx.get_error().is_some()); false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_err()); } #[test] +fn test_verify_callback_data() { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec<u8>) -> bool { + let cert = x509_ctx.get_current_cert(); + match cert { + None => false, + Some(cert) => { + let fingerprint = cert.fingerprint(SHA256).unwrap(); + fingerprint.as_slice() == node_id.as_slice() + } + } + } + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut ctx = SslContext::new(Sslv23).unwrap(); + + // Node id was generated as SHA256 hash of certificate "test/cert.pem" + // in DER format. + // Command: openssl x509 -in test/cert.pem -outform DER | openssl dgst -sha256 + // Please update if "test/cert.pem" will ever change + let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c"; + let node_id = node_hash_str.from_hex().unwrap(); + ctx.set_verify_with_data(SslVerifyPeer, callback, node_id); + ctx.set_verify_depth(1); + + match SslStream::new(&ctx, stream) { + Ok(_) => (), + Err(err) => panic!("Expected success, got {}", err) + } +} + + +#[test] fn test_write() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write("hello".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -151,10 +186,21 @@ fn test_write() { #[test] fn test_read() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); - let buf = stream.read_to_end().ok().expect("read error"); - print!("{}", str::from_utf8(buf.as_slice())); + stream.read_to_end().ok().expect("read error"); +} + +#[test] +fn test_clone() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + let mut stream2 = stream.clone(); + spawn(proc() { + stream2.write("GET /\r\n\r\n".as_bytes()).unwrap(); + stream2.flush().unwrap(); + }); + stream.read_to_end().ok().expect("read error"); } |