diff options
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/bio.rs | 2 | ||||
| -rw-r--r-- | openssl/src/ssl/callbacks.rs | 4 | ||||
| -rw-r--r-- | openssl/src/ssl/connector.rs | 6 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 41 | ||||
| -rw-r--r-- | openssl/src/ssl/tests/mod.rs | 48 |
5 files changed, 66 insertions, 35 deletions
diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index 4b792a75..4c0c37db 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -173,7 +173,7 @@ unsafe extern "C" fn destroy<S>(bio: *mut BIO) -> c_int { 1 } -#[cfg(ossl110)] +#[cfg(ossl11x)] #[allow(bad_style)] mod compat { use std::io::{Read, Write}; diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index d7c48050..9df34e72 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -12,7 +12,7 @@ use dh::Dh; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] use ec_key::EcKey; use ssl::{get_callback_idx, get_ssl_callback_idx, SslRef, SniError, NPN_PROTOS_IDX}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use ssl::ALPN_PROTOS_IDX; use x509::X509StoreContextRef; @@ -158,7 +158,7 @@ pub extern "C" fn raw_next_proto_select_cb( unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } } -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub extern "C" fn raw_alpn_select_cb( ssl: *mut ffi::SSL, out: *mut *const c_uchar, diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index a730cc49..1f73220f 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -367,7 +367,7 @@ fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { ctx._set_ecdh_auto(true) } -#[cfg(ossl110)] +#[cfg(ossl11x)] fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> { Ok(()) } @@ -390,7 +390,7 @@ impl SslAcceptor { } } -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] fn setup_verify(ctx: &mut SslContextBuilder) { ctx.set_verify(SSL_VERIFY_PEER); } @@ -409,7 +409,7 @@ fn setup_verify(ctx: &mut SslContextBuilder) { }); } -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let param = ssl._param_mut(); param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 6ef39964..dad9b4c7 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -99,9 +99,9 @@ use ec::EcKeyRef; use ec::EcKey; use x509::{X509, X509FileType, X509Name, X509Ref, X509StoreContextRef, X509VerifyError}; use x509::store::{X509StoreBuilderRef, X509StoreRef}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::store::X509Store; -#[cfg(any(ossl102, ossl110))] +#[cfg(any(ossl102, ossl11x))] use verify::X509VerifyParamRef; use pkey::PKeyRef; use error::ErrorStack; @@ -211,15 +211,21 @@ bitflags! { /// Disables the use of TLSv1.2. const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; + /// Disables the use of TLSv1.3. + /// + /// Requires OpenSSL 1.1.1 or newer. + #[cfg(ossl111)] + const SSL_OP_NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3; + /// Disables the use of DTLSv1.0 /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disables the use of all (D)TLS protocol versions. @@ -237,8 +243,15 @@ bitflags! { /// /// let options = SSL_OP_NO_SSL_MASK & !SSL_OP_NO_TLSV1_2; /// ``` - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] const SSL_OP_NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; + + /// Enable TLSv1.3 Compatibility mode. + /// + /// Requires OpenSSL 1.1.1 or newer. This is on by default in 1.1.1, but a future version + /// may have this disabled by default. + #[cfg(ossl111)] + const SSL_OP_ENABLE_MIDDLEBOX_COMPAT = ffi::SSL_OP_ENABLE_MIDDLEBOX_COMPAT; } } @@ -398,7 +411,7 @@ lazy_static! { static ref NPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] lazy_static! { static ref ALPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } @@ -578,7 +591,7 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. /// /// [`SSL_CTX_set0_verify_cert_store`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set0_verify_cert_store.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { unsafe { let ptr = cert_store.as_ptr(); @@ -970,7 +983,7 @@ impl SslContextBuilder { /// /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. // FIXME overhaul - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) -> Result<(), ErrorStack> { let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { @@ -1190,7 +1203,7 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_certificate`]. /// /// [`SSL_CTX_get0_certificate`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn certificate(&self) -> Option<&X509Ref> { unsafe { let ptr = ffi::SSL_CTX_get0_certificate(self.as_ptr()); @@ -1209,7 +1222,7 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_privatekey`]. /// /// [`SSL_CTX_get0_privatekey`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn private_key(&self) -> Option<&PKeyRef> { unsafe { let ptr = ffi::SSL_CTX_get0_privatekey(self.as_ptr()); @@ -1794,7 +1807,7 @@ impl SslRef { /// This corresponds to [`SSL_get0_alpn_selected`]. /// /// [`SSL_get0_alpn_selected`]: https://www.openssl.org/docs/manmaster/man3/SSL_get0_next_proto_negotiated.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); @@ -1894,12 +1907,12 @@ impl SslRef { /// This corresponds to [`SSL_get0_param`]. /// /// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { self._param_mut() } - #[cfg(any(ossl102, ossl110))] + #[cfg(any(ossl102, ossl11x))] fn _param_mut(&mut self) -> &mut X509VerifyParamRef { unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) } } @@ -2437,7 +2450,7 @@ pub enum ShutdownResult { Received, } -#[cfg(ossl110)] +#[cfg(ossl11x)] mod compat { use std::ptr; diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 1cc36c7f..b5d5a829 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -22,7 +22,7 @@ use ssl::{SslMethod, HandshakeError, SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder, Error, SSL_VERIFY_PEER, SSL_VERIFY_NONE, STATUS_TYPE_OCSP}; use x509::{X509StoreContext, X509, X509Name, X509_FILETYPE_PEM}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; use pkey::PKey; @@ -138,14 +138,14 @@ macro_rules! run_test( use ssl::SSL_VERIFY_PEER; use hash::MessageDigest; use x509::X509StoreContext; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::X509; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use x509::store::X509StoreBuilder; use hex::FromHex; use foreign_types::ForeignTypeRef; use super::Server; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] use super::ROOT_CERT; #[test] @@ -186,7 +186,7 @@ run_test!(verify_trusted, |method, stream| { } }); -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] run_test!(verify_trusted_with_set_cert, |method, stream| { let x509 = X509::from_pem(ROOT_CERT).unwrap(); let mut store = X509StoreBuilder::new().unwrap(); @@ -481,7 +481,7 @@ fn test_state() { /// Tests that connecting with the client using ALPN, but the server not does not /// break the existing connection behavior. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_unilateral_alpn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -525,7 +525,7 @@ fn test_connect_with_unilateral_npn() { /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_alpn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -546,8 +546,10 @@ fn test_connect_with_alpn_successful_multiple_matching() { /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. +// Ignore: NPN is removed on master. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[ignore] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_npn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -570,7 +572,7 @@ fn test_connect_with_npn_successful_multiple_matching() { /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_alpn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -593,8 +595,10 @@ fn test_connect_with_alpn_successful_single_match() { /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. +// Ignore: NPN is removed on master. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[ignore] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_connect_with_npn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -615,7 +619,9 @@ fn test_connect_with_npn_successful_single_match() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. +// Ignore: NPN is removed on master. #[test] +#[ignore] #[cfg(not(any(libressl261, libressl262, libressl26x)))] fn test_npn_server_advertise_multiple() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); @@ -659,7 +665,7 @@ fn test_npn_server_advertise_multiple() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_alpn_server_advertise_multiple() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -702,7 +708,7 @@ fn test_alpn_server_advertise_multiple() { /// Test that Servers supporting ALPN don't report a protocol when none of their protocols match /// the client's reported protocol. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn test_alpn_server_select_none() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -804,7 +810,9 @@ fn test_write_nonblocking() { stream.write(" there".as_bytes()).unwrap(); } +// Ignore: the test is removed in master. #[test] +#[ignore] #[cfg_attr(any(libressl, windows, target_arch = "arm"), ignore)] // FIXME(#467) fn test_read_nonblocking() { let (_s, stream) = Server::new(); @@ -967,7 +975,9 @@ fn default_verify_paths() { ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SSL_VERIFY_PEER); let s = TcpStream::connect("google.com:443").unwrap(); - let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap(); + let mut ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.set_hostname("google.com").unwrap(); + let mut socket = ssl.connect(s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; @@ -987,7 +997,7 @@ fn add_extra_chain_cert() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn verify_valid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -998,6 +1008,7 @@ fn verify_valid_hostname() { X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, ); ssl.param_mut().set_host("google.com").unwrap(); + ssl.set_hostname("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = ssl.connect(s).unwrap(); @@ -1012,7 +1023,7 @@ fn verify_valid_hostname() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl11x)))] fn verify_invalid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -1052,7 +1063,10 @@ fn connector_invalid_hostname() { assert!(connector.connect("foobar.com", s).is_err()); } +// Ignored: Google's load balancer architecture changed. Connection without SNI will fail with +// self signed certs. #[test] +#[ignore] fn connector_invalid_no_hostname_verification() { let connector = SslConnectorBuilder::new(SslMethod::tls()).unwrap().build(); @@ -1231,6 +1245,8 @@ fn tmp_dh_callback() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + #[cfg(ossl111)] + ctx.set_options(super::SSL_OP_NO_TLSV1_3); ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); @@ -1298,6 +1314,8 @@ fn tmp_dh_callback_ssl() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + #[cfg(ossl111)] + ctx.set_options(super::SSL_OP_NO_TLSV1_3); ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); |