diff options
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/Cargo.toml | 4 | ||||
| -rw-r--r-- | openssl/src/asn1.rs | 23 | ||||
| -rw-r--r-- | openssl/src/lib.rs | 2 | ||||
| -rw-r--r-- | openssl/src/ssl/connector.rs | 16 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 8 | ||||
| -rw-r--r-- | openssl/src/verify.rs | 86 | ||||
| -rw-r--r-- | openssl/src/x509/mod.rs | 13 | ||||
| -rw-r--r-- | openssl/src/x509/tests.rs | 1 | ||||
| -rw-r--r-- | openssl/src/x509/verify.rs | 91 |
9 files changed, 128 insertions, 116 deletions
diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index e78b65aa..cbfab25e 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -8,10 +8,6 @@ repository = "https://github.com/sfackler/rust-openssl" readme = "README.md" keywords = ["crypto", "tls", "ssl", "dtls"] categories = ["cryptography", "api-bindings"] -build = "build.rs" - -[package.metadata.docs.rs] -all-features = true # these are deprecated and don't do anything anymore [features] diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index d129235a..f6917aae 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -26,7 +26,7 @@ //! ``` use ffi; use foreign_types::{ForeignType, ForeignTypeRef}; -use libc::{c_long, c_char, c_int}; +use libc::{c_char, c_int, c_long}; use std::fmt; use std::ptr; use std::slice; @@ -34,6 +34,7 @@ use std::str; use {cvt, cvt_p}; use bio::MemBio; +use bn::BigNum; use error::ErrorStack; use nid::Nid; use string::OpensslString; @@ -191,14 +192,24 @@ foreign_type_and_impl_send_sync! { } impl Asn1IntegerRef { - /// Returns value of ASN.1 integer, or -1 if there is an error, and 0 if the integer is Null. - /// - /// OpenSSL documentation at [`ASN1_INTEGER_get`]. - /// - /// [`ASN1_INTEGER_get`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_get.html + #[allow(missing_docs)] + #[deprecated(since = "0.10.6", note = "use to_bn instead")] pub fn get(&self) -> i64 { unsafe { ::ffi::ASN1_INTEGER_get(self.as_ptr()) as i64 } } + + /// Converts the integer to a `BigNum`. + /// + /// This corresponds to [`ASN1_INTEGER_to_BN`]. + /// + /// [`ASN1_INTEGER_to_BN`]: https://www.openssl.org/docs/man1.1.0/crypto/ASN1_INTEGER_get.html + pub fn to_bn(&self) -> Result<BigNum, ErrorStack> { + unsafe { + cvt_p(::ffi::ASN1_INTEGER_to_BN(self.as_ptr(), ptr::null_mut())) + .map(|p| BigNum::from_ptr(p)) + } + } + /// Sets the ASN.1 value to the value of a signed 32-bit integer, for larger numbers /// see [`bn`]. /// diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index e4b621ef..a66a7743 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -61,8 +61,6 @@ pub mod string; pub mod symm; pub mod version; pub mod x509; -#[cfg(any(ossl102, ossl110))] -mod verify; fn cvt_p<T>(r: *mut T) -> Result<*mut T, ErrorStack> { if r.is_null() { diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 89eb0ac3..9966a5a0 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -192,11 +192,7 @@ impl SslAcceptor { pub fn mozilla_intermediate(method: SslMethod) -> Result<SslAcceptorBuilder, ErrorStack> { let mut ctx = ctx(method)?; #[cfg(ossl111)] - { - ctx.set_options(SslOptions { - bits: ::ffi::SSL_OP_NO_TLSv1_3, - }); - } + ctx.set_options(SslOptions::NO_TLSV1_3); let dh = Dh::params_from_pem( b" -----BEGIN DH PARAMETERS----- @@ -236,11 +232,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== let mut ctx = ctx(method)?; ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1); #[cfg(ossl111)] - { - ctx.set_options(SslOptions { - bits: ::ffi::SSL_OP_NO_TLSv1_3, - }); - } + ctx.set_options(SslOptions::NO_TLSV1_3); setup_curves(&mut ctx)?; ctx.set_cipher_list( "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ @@ -316,8 +308,10 @@ fn setup_verify(ctx: &mut SslContextBuilder) { #[cfg(any(ossl102, ossl110))] fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { + use x509::verify::X509CheckFlags; + let param = ssl.param_mut(); - param.set_hostflags(::verify::X509CheckFlags::NO_PARTIAL_WILDCARDS); + param.set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); match domain.parse() { Ok(ip) => param.set_ip(ip), Err(_) => param.set_host(domain), diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 5a600053..0f9e8935 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -87,7 +87,7 @@ use x509::store::{X509StoreBuilderRef, X509StoreRef}; #[cfg(any(ossl102, ossl110))] use x509::store::X509Store; #[cfg(any(ossl102, ossl110))] -use verify::X509VerifyParamRef; +use x509::verify::X509VerifyParamRef; use pkey::{HasPrivate, PKeyRef, Params, Private}; use error::ErrorStack; use ex_data::Index; @@ -1558,12 +1558,14 @@ impl SslContextBuilder { parse_cb: ParseFn, ) -> Result<(), ErrorStack> where - AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<T>, SslAlert> + AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) + -> Result<Option<T>, SslAlert> + 'static + Sync + Send, T: AsRef<[u8]> + 'static + Sync + Send, - ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) + -> Result<(), SslAlert> + 'static + Sync + Send, diff --git a/openssl/src/verify.rs b/openssl/src/verify.rs deleted file mode 100644 index 19e57c17..00000000 --- a/openssl/src/verify.rs +++ /dev/null @@ -1,86 +0,0 @@ -use libc::c_uint; -use ffi; -use foreign_types::ForeignTypeRef; -use std::net::IpAddr; - -use cvt; -use error::ErrorStack; - -bitflags! { - /// Flags used to check an `X509` certificate. - pub struct X509CheckFlags: c_uint { - const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; - const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; - const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; - const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; - const SINGLE_LABEL_SUBDOMAINS - = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; - /// Requires OpenSSL 1.1.0 or newer. - #[cfg(any(ossl110))] - const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; - } -} - -foreign_type_and_impl_send_sync! { - type CType = ffi::X509_VERIFY_PARAM; - fn drop = ffi::X509_VERIFY_PARAM_free; - - /// Adjust parameters associated with certificate verification. - pub struct X509VerifyParam; - /// Reference to `X509VerifyParam`. - pub struct X509VerifyParamRef; -} - -impl X509VerifyParamRef { - /// Set the host flags. - /// - /// This corresponds to [`X509_VERIFY_PARAM_set_hostflags`]. - /// - /// [`X509_VERIFY_PARAM_set_hostflags`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_hostflags.html - pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { - unsafe { - ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); - } - } - - /// Set the expected DNS hostname. - /// - /// This corresponds to [`X509_VERIFY_PARAM_set1_host`]. - /// - /// [`X509_VERIFY_PARAM_set1_host`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_host.html - pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_VERIFY_PARAM_set1_host( - self.as_ptr(), - host.as_ptr() as *const _, - host.len(), - )).map(|_| ()) - } - } - - /// Set the expected IPv4 or IPv6 address. - /// - /// This corresponds to [`X509_VERIFY_PARAM_set1_ip`]. - /// - /// [`X509_VERIFY_PARAM_set1_ip`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_ip.html - pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> { - unsafe { - let mut buf = [0; 16]; - let len = match ip { - IpAddr::V4(addr) => { - buf[..4].copy_from_slice(&addr.octets()); - 4 - } - IpAddr::V6(addr) => { - buf.copy_from_slice(&addr.octets()); - 16 - } - }; - cvt(ffi::X509_VERIFY_PARAM_set1_ip( - self.as_ptr(), - buf.as_ptr() as *const _, - len, - )).map(|_| ()) - } - } -} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index d4714f88..011a2d96 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -523,6 +523,19 @@ impl X509Ref { } } + /// Returns this certificate's serial number. + /// + /// This corresponds to [`X509_get_serialNumber`]. + /// + /// [`X509_get_serialNumber`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_get_serialNumber.html + pub fn serial_number(&self) -> &Asn1IntegerRef { + unsafe { + let r = ffi::X509_get_serialNumber(self.as_ptr()); + assert!(!r.is_null()); + Asn1IntegerRef::from_ptr(r) + } + } + to_pem! { /// Serializes the certificate into a PEM-encoded X509 structure. /// diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index ecc7f7de..fa8056ad 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -202,6 +202,7 @@ fn x509_builder() { .next() .unwrap(); assert_eq!("foobar.com".as_bytes(), cn.data().as_slice()); + assert_eq!(serial, x509.serial_number().to_bn().unwrap()); } #[test] diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 8a57ce5c..b90c8f58 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1,5 +1,88 @@ -//! X509 certificate verification -//! -//! Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. +use libc::c_uint; +use ffi; +use foreign_types::ForeignTypeRef; +use std::net::IpAddr; -pub use verify::*; +use cvt; +use error::ErrorStack; + +bitflags! { + /// Flags used to check an `X509` certificate. + pub struct X509CheckFlags: c_uint { + const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; + const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; + const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; + const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; + const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; + /// Requires OpenSSL 1.1.0 or newer. + #[cfg(any(ossl110))] + const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + + #[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")] + const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS; + } +} + +foreign_type_and_impl_send_sync! { + type CType = ffi::X509_VERIFY_PARAM; + fn drop = ffi::X509_VERIFY_PARAM_free; + + /// Adjust parameters associated with certificate verification. + pub struct X509VerifyParam; + /// Reference to `X509VerifyParam`. + pub struct X509VerifyParamRef; +} + +impl X509VerifyParamRef { + /// Set the host flags. + /// + /// This corresponds to [`X509_VERIFY_PARAM_set_hostflags`]. + /// + /// [`X509_VERIFY_PARAM_set_hostflags`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_hostflags.html + pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { + unsafe { + ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); + } + } + + /// Set the expected DNS hostname. + /// + /// This corresponds to [`X509_VERIFY_PARAM_set1_host`]. + /// + /// [`X509_VERIFY_PARAM_set1_host`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_host.html + pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_VERIFY_PARAM_set1_host( + self.as_ptr(), + host.as_ptr() as *const _, + host.len(), + )).map(|_| ()) + } + } + + /// Set the expected IPv4 or IPv6 address. + /// + /// This corresponds to [`X509_VERIFY_PARAM_set1_ip`]. + /// + /// [`X509_VERIFY_PARAM_set1_ip`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set1_ip.html + pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> { + unsafe { + let mut buf = [0; 16]; + let len = match ip { + IpAddr::V4(addr) => { + buf[..4].copy_from_slice(&addr.octets()); + 4 + } + IpAddr::V6(addr) => { + buf.copy_from_slice(&addr.octets()); + 16 + } + }; + cvt(ffi::X509_VERIFY_PARAM_set1_ip( + self.as_ptr(), + buf.as_ptr() as *const _, + len, + )).map(|_| ()) + } + } +} |