diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/asn1/mod.rs | 49 | ||||
| -rw-r--r-- | src/bio/mod.rs | 105 | ||||
| -rw-r--r-- | src/bn/mod.rs | 242 | ||||
| -rw-r--r-- | src/crypto/hash.rs | 169 | ||||
| -rw-r--r-- | src/crypto/hmac.rs | 66 | ||||
| -rw-r--r-- | src/crypto/memcmp.rs | 39 | ||||
| -rw-r--r-- | src/crypto/mod.rs | 1 | ||||
| -rw-r--r-- | src/crypto/pkcs5.rs | 15 | ||||
| -rw-r--r-- | src/crypto/pkey.rs | 204 | ||||
| -rw-r--r-- | src/crypto/rand.rs | 11 | ||||
| -rw-r--r-- | src/crypto/symm.rs | 153 | ||||
| -rw-r--r-- | src/lib.rs | 16 | ||||
| -rw-r--r-- | src/macros.rs | 59 | ||||
| -rw-r--r-- | src/ssl/error.rs | 78 | ||||
| -rwxr-xr-x | src/ssl/ffi.rs | 192 | ||||
| -rw-r--r-- | src/ssl/mod.rs | 526 | ||||
| -rw-r--r-- | src/ssl/tests.rs | 104 | ||||
| -rw-r--r-- | src/x509/mod.rs | 514 | ||||
| -rw-r--r-- | src/x509/tests.rs | 51 |
19 files changed, 1601 insertions, 993 deletions
diff --git a/src/asn1/mod.rs b/src/asn1/mod.rs new file mode 100644 index 00000000..89c79f74 --- /dev/null +++ b/src/asn1/mod.rs @@ -0,0 +1,49 @@ +use libc::{c_long}; +use std::ptr; + +use ffi; +use ssl::error::{SslError}; + + +pub struct Asn1Time { + handle: *mut ffi::ASN1_TIME, + owned: bool +} + +impl Asn1Time { + /// Wraps existing ASN1_TIME and takes ownership + pub fn new(handle: *mut ffi::ASN1_TIME) -> Asn1Time { + Asn1Time { + handle: handle, + owned: true + } + } + + fn new_with_period(period: u64) -> Result<Asn1Time, SslError> { + ffi::init(); + + let handle = unsafe { + try_ssl_null!(ffi::X509_gmtime_adj(ptr::null_mut(), + period as c_long)) + }; + Ok(Asn1Time::new(handle)) + } + + /// Creates a new time on specified interval in days from now + pub fn days_from_now(days: uint) -> Result<Asn1Time, SslError> { + Asn1Time::new_with_period(days as u64 * 60 * 60 * 24) + } + + /// Returns raw handle + pub unsafe fn get_handle(&self) -> *mut ffi::ASN1_TIME { + return self.handle + } +} + +impl Drop for Asn1Time { + fn drop(&mut self) { + if self.owned { + unsafe { ffi::ASN1_TIME_free(self.handle) }; + } + } +} diff --git a/src/bio/mod.rs b/src/bio/mod.rs new file mode 100644 index 00000000..afc55849 --- /dev/null +++ b/src/bio/mod.rs @@ -0,0 +1,105 @@ +use libc::{c_void, c_int}; +use std::io::{EndOfFile, IoResult, IoError, OtherIoError}; +use std::io::{Reader, Writer}; +use std::ptr; + +use ffi; +use ssl::error::{SslError}; + +pub struct MemBio { + bio: *mut ffi::BIO, + owned: bool +} + +impl Drop for MemBio { + fn drop(&mut self) { + if self.owned { + unsafe { + ffi::BIO_free_all(self.bio); + } + } + } +} + +impl MemBio { + /// Creates a new owned memory based BIO + pub fn new() -> Result<MemBio, SslError> { + ffi::init(); + + let bio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; + try_ssl_null!(bio); + + Ok(MemBio { + bio: bio, + owned: true + }) + } + + /// Returns a "borrow", i.e. it has no ownership + pub fn borrowed(bio: *mut ffi::BIO) -> MemBio { + MemBio { + bio: bio, + owned: false + } + } + + /// Consumes current bio and returns wrapped value + /// Note that data ownership is lost and + /// should be managed manually + pub unsafe fn unwrap(mut self) -> *mut ffi::BIO { + self.owned = false; + self.bio + } + + /// Temporarily gets wrapped value + pub unsafe fn get_handle(&self) -> *mut ffi::BIO { + self.bio + } +} + +impl Reader for MemBio { + fn read(&mut self, buf: &mut [u8]) -> IoResult<uint> { + let ret = unsafe { + ffi::BIO_read(self.bio, buf.as_ptr() as *mut c_void, + buf.len() as c_int) + }; + + if ret <= 0 { + let is_eof = unsafe { ffi::BIO_eof(self.bio) }; + let err = if is_eof { + IoError { + kind: EndOfFile, + desc: "MemBio EOF", + detail: None + } + } else { + IoError { + kind: OtherIoError, + desc: "MemBio read error", + detail: Some(format!("{}", SslError::get())) + } + }; + Err(err) + } else { + Ok(ret as uint) + } + } +} + +impl Writer for MemBio { + fn write(&mut self, buf: &[u8]) -> IoResult<()> { + let ret = unsafe { + ffi::BIO_write(self.bio, buf.as_ptr() as *const c_void, + buf.len() as c_int) + }; + if buf.len() != ret as uint { + Err(IoError { + kind: OtherIoError, + desc: "MemBio write error", + detail: Some(format!("{}", SslError::get())) + }) + } else { + Ok(()) + } + } +} diff --git a/src/bn/mod.rs b/src/bn/mod.rs index fddd5703..3944fdcd 100644 --- a/src/bn/mod.rs +++ b/src/bn/mod.rs @@ -1,89 +1,11 @@ - -use libc::{c_void, c_int, c_ulong, c_char}; +use libc::{c_int, c_ulong, c_void}; use std::{fmt, ptr}; use std::c_str::CString; -use std::num::{One, Zero}; +use ffi; use ssl::error::SslError; -#[allow(dead_code)] -#[repr(C)] -struct BIGNUM { - d: *mut c_void, - top: c_int, - dmax: c_int, - neg: c_int, - flags: c_int, -} - -#[allow(non_camel_case_types)] -type BN_CTX = *mut c_void; - -#[link(name = "crypto")] -extern { - fn BN_new() -> *mut BIGNUM; - fn BN_clear_free(bn: *mut BIGNUM); - - fn BN_CTX_new() -> *mut BN_CTX; - fn BN_CTX_free(ctx: *mut BN_CTX); - - fn BN_set_word(bn: *mut BIGNUM, n: c_ulong) -> c_int; - fn BN_set_negative(bn: *mut BIGNUM, n: c_int); - fn BN_num_bits(bn: *mut BIGNUM) -> c_int; - - /* Arithmetic operations on BIGNUMs */ - fn BN_add(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM) -> c_int; - fn BN_sub(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM) -> c_int; - fn BN_mul(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_sqr(r: *mut BIGNUM, a: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_div(dv: *mut BIGNUM, rem: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_nnmod(rem: *mut BIGNUM, a: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_add(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_sub(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_mul(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_sqr(r: *mut BIGNUM, a: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_exp(r: *mut BIGNUM, a: *mut BIGNUM, p: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_exp(r: *mut BIGNUM, a: *mut BIGNUM, p: *mut BIGNUM, m: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - fn BN_mod_inverse(r: *mut BIGNUM, a: *mut BIGNUM, n: *mut BIGNUM, ctx: *mut BN_CTX) -> *const BIGNUM; - fn BN_mod_word(r: *mut BIGNUM, w: c_ulong) -> c_ulong; - fn BN_gcd(r: *mut BIGNUM, a: *mut BIGNUM, b: *mut BIGNUM, ctx: *mut BN_CTX) -> c_int; - - /* Bit operations on BIGNUMs */ - fn BN_set_bit(a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_clear_bit(a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_is_bit_set(a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_mask_bits(a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_lshift(r: *mut BIGNUM, a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_lshift1(r: *mut BIGNUM, a: *mut BIGNUM) -> c_int; - fn BN_rshift(r: *mut BIGNUM, a: *mut BIGNUM, n: c_int) -> c_int; - fn BN_rshift1(r: *mut BIGNUM, a: *mut BIGNUM) -> c_int; - - /* Comparisons on BIGNUMs */ - fn BN_cmp(a: *mut BIGNUM, b: *mut BIGNUM) -> c_int; - fn BN_ucmp(a: *mut BIGNUM, b: *mut BIGNUM) -> c_int; - fn BN_is_zero(a: *mut BIGNUM) -> c_int; - - /* Prime handling */ - fn BN_generate_prime_ex(r: *mut BIGNUM, bits: c_int, safe: c_int, add: *mut BIGNUM, rem: *mut BIGNUM, cb: *const c_void) -> c_int; - fn BN_is_prime_ex(p: *mut BIGNUM, checks: c_int, ctx: *mut BN_CTX, cb: *const c_void) -> c_int; - fn BN_is_prime_fasttest_ex(p: *mut BIGNUM, checks: c_int, ctx: *mut BN_CTX, do_trial_division: c_int, cb: *const c_void) -> c_int; - - /* Random number handling */ - fn BN_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; - fn BN_pseudo_rand(r: *mut BIGNUM, bits: c_int, top: c_int, bottom: c_int) -> c_int; - fn BN_rand_range(r: *mut BIGNUM, range: *mut BIGNUM) -> c_int; - fn BN_pseudo_rand_range(r: *mut BIGNUM, range: *mut BIGNUM) -> c_int; - - /* Conversion from/to binary representation */ - fn BN_bn2bin(a: *mut BIGNUM, to: *mut u8) -> c_int; - fn BN_bin2bn(s: *const u8, size: c_int, ret: *mut BIGNUM) -> *mut BIGNUM; - - /* Conversion from/to string representation */ - fn BN_bn2dec(a: *mut BIGNUM) -> *const c_char; - fn CRYPTO_free(buf: *const c_char); -} - -pub struct BigNum(*mut BIGNUM); +pub struct BigNum(*mut ffi::BIGNUM); #[repr(C)] pub enum RNGProperty { @@ -94,12 +16,12 @@ pub enum RNGProperty { macro_rules! with_ctx( ($name:ident, $action:block) => ({ - let $name = BN_CTX_new(); + let $name = ffi::BN_CTX_new(); if ($name).is_null() { Err(SslError::get()) } else { let r = $action; - BN_CTX_free($name); + ffi::BN_CTX_free($name); r } }); @@ -126,7 +48,7 @@ macro_rules! with_bn_in_ctx( let tmp = BigNum::new(); match tmp { Ok($name) => { - let $ctx_name = BN_CTX_new(); + let $ctx_name = ffi::BN_CTX_new(); if ($ctx_name).is_null() { Err(SslError::get()) } else { @@ -136,7 +58,7 @@ macro_rules! with_bn_in_ctx( } else { Err(SslError::get()) }; - BN_CTX_free($ctx_name); + ffi::BN_CTX_free($ctx_name); r } }, @@ -148,110 +70,102 @@ macro_rules! with_bn_in_ctx( impl BigNum { pub fn new() -> Result<BigNum, SslError> { unsafe { - let v = BN_new(); - if v.is_null() { - Err(SslError::get()) - } else { - Ok(BigNum(v)) - } + ffi::init(); + + let v = try_ssl_null!(ffi::BN_new()); + Ok(BigNum(v)) } } pub fn new_from(n: u64) -> Result<BigNum, SslError> { - unsafe { - let bn = BN_new(); - if bn.is_null() || BN_set_word(bn, n as c_ulong) == 0 { - Err(SslError::get()) - } else { - Ok(BigNum(bn)) - } - } + BigNum::new().and_then(|v| unsafe { + try_ssl!(ffi::BN_set_word(v.raw(), n as c_ulong)); + Ok(v) + }) } pub fn new_from_slice(n: &[u8]) -> Result<BigNum, SslError> { - unsafe { - let bn = BN_new(); - if bn.is_null() || BN_bin2bn(n.as_ptr(), n.len() as c_int, bn).is_null() { - Err(SslError::get()) - } else { - Ok(BigNum(bn)) - } - } + BigNum::new().and_then(|v| unsafe { + try_ssl_null!(ffi::BN_bin2bn(n.as_ptr(), n.len() as c_int, v.raw())); + Ok(v) + }) } pub fn checked_sqr(&self) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_sqr(r.raw(), self.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_sqr(r.raw(), self.raw(), ctx) == 1 }) } } pub fn checked_nnmod(&self, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_nnmod(r.raw(), self.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_nnmod(r.raw(), self.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_mod_add(&self, a: &BigNum, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mod_add(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mod_add(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_mod_sub(&self, a: &BigNum, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mod_sub(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mod_sub(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_mod_mul(&self, a: &BigNum, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mod_mul(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mod_mul(r.raw(), self.raw(), a.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_mod_sqr(&self, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mod_sqr(r.raw(), self.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mod_sqr(r.raw(), self.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_exp(&self, p: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_exp(r.raw(), self.raw(), p.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_exp(r.raw(), self.raw(), p.raw(), ctx) == 1 }) } } pub fn checked_mod_exp(&self, p: &BigNum, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mod_exp(r.raw(), self.raw(), p.raw(), n.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mod_exp(r.raw(), self.raw(), p.raw(), n.raw(), ctx) == 1 }) } } pub fn checked_mod_inv(&self, n: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { !BN_mod_inverse(r.raw(), self.raw(), n.raw(), ctx).is_null() }) + with_bn_in_ctx!(r, ctx, { !ffi::BN_mod_inverse(r.raw(), self.raw(), n.raw(), ctx).is_null() }) } } +/*XXX pub fn mod_word(&self, w: c_ulong) -> c_ulong { unsafe { - return BN_mod_word(self.raw(), w); + BN_mod_word(self.raw(), w) } } +*/ pub fn checked_gcd(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_gcd(r.raw(), self.raw(), a.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_gcd(r.raw(), self.raw(), a.raw(), ctx) == 1 }) } } pub fn checked_generate_prime(bits: i32, safe: bool, add: Option<&BigNum>, rem: Option<&BigNum>) -> Result<BigNum, SslError> { unsafe { with_bn_in_ctx!(r, ctx, { - let add_arg = add.map(|a| a.raw()).unwrap_or(ptr::mut_null()); - let rem_arg = rem.map(|r| r.raw()).unwrap_or(ptr::mut_null()); + let add_arg = add.map(|a| a.raw()).unwrap_or(ptr::null_mut()); + let rem_arg = rem.map(|r| r.raw()).unwrap_or(ptr::null_mut()); - BN_generate_prime_ex(r.raw(), bits as c_int, safe as c_int, add_arg, rem_arg, ptr::null()) == 1 + ffi::BN_generate_prime_ex(r.raw(), bits as c_int, safe as c_int, add_arg, rem_arg, ptr::null()) == 1 }) } } @@ -259,7 +173,7 @@ impl BigNum { pub fn is_prime(&self, checks: i32) -> Result<bool, SslError> { unsafe { with_ctx!(ctx, { - Ok(BN_is_prime_ex(self.raw(), checks as c_int, ctx, ptr::null()) == 1) + Ok(ffi::BN_is_prime_ex(self.raw(), checks as c_int, ctx, ptr::null()) == 1) }) } } @@ -267,38 +181,38 @@ impl BigNum { pub fn is_prime_fast(&self, checks: i32, do_trial_division: bool) -> Result<bool, SslError> { unsafe { with_ctx!(ctx, { - Ok(BN_is_prime_fasttest_ex(self.raw(), checks as c_int, ctx, do_trial_division as c_int, ptr::null()) == 1) + Ok(ffi::BN_is_prime_fasttest_ex(self.raw(), checks as c_int, ctx, do_trial_division as c_int, ptr::null()) == 1) }) } } pub fn checked_new_random(bits: i32, prop: RNGProperty, odd: bool) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_rand(r.raw(), bits as c_int, prop as c_int, odd as c_int) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_rand(r.raw(), bits as c_int, prop as c_int, odd as c_int) == 1 }) } } pub fn checked_new_pseudo_random(bits: i32, prop: RNGProperty, odd: bool) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_pseudo_rand(r.raw(), bits as c_int, prop as c_int, odd as c_int) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_pseudo_rand(r.raw(), bits as c_int, prop as c_int, odd as c_int) == 1 }) } } pub fn checked_rand_in_range(&self) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_rand_range(r.raw(), self.raw()) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_rand_range(r.raw(), self.raw()) == 1 }) } } pub fn checked_pseudo_rand_in_range(&self) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_pseudo_rand_range(r.raw(), self.raw()) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_pseudo_rand_range(r.raw(), self.raw()) == 1 }) } } pub fn set_bit(&mut self, n: i32) -> Result<(), SslError> { unsafe { - if BN_set_bit(self.raw(), n as c_int) == 1 { + if ffi::BN_set_bit(self.raw(), n as c_int) == 1 { Ok(()) } else { Err(SslError::get()) @@ -308,7 +222,7 @@ impl BigNum { pub fn clear_bit(&mut self, n: i32) -> Result<(), SslError> { unsafe { - if BN_clear_bit(self.raw(), n as c_int) == 1 { + if ffi::BN_clear_bit(self.raw(), n as c_int) == 1 { Ok(()) } else { Err(SslError::get()) @@ -318,13 +232,13 @@ impl BigNum { pub fn is_bit_set(&self, n: i32) -> bool { unsafe { - BN_is_bit_set(self.raw(), n as c_int) == 1 + ffi::BN_is_bit_set(self.raw(), n as c_int) == 1 } } pub fn mask_bits(&mut self, n: i32) -> Result<(), SslError> { unsafe { - if BN_mask_bits(self.raw(), n as c_int) == 1 { + if ffi::BN_mask_bits(self.raw(), n as c_int) == 1 { Ok(()) } else { Err(SslError::get()) @@ -334,67 +248,67 @@ impl BigNum { pub fn checked_shl1(&self) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_lshift1(r.raw(), self.raw()) == 1 }) + with_bn!(r, { ffi::BN_lshift1(r.raw(), self.raw()) == 1 }) } } pub fn checked_shr1(&self) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_rshift1(r.raw(), self.raw()) == 1 }) + with_bn!(r, { ffi::BN_rshift1(r.raw(), self.raw()) == 1 }) } } pub fn checked_add(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_add(r.raw(), self.raw(), a.raw()) == 1 }) + with_bn!(r, { ffi::BN_add(r.raw(), self.raw(), a.raw()) == 1 }) } } pub fn checked_sub(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_sub(r.raw(), self.raw(), a.raw()) == 1 }) + with_bn!(r, { ffi::BN_sub(r.raw(), self.raw(), a.raw()) == 1 }) } } pub fn checked_mul(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_mul(r.raw(), self.raw(), a.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_mul(r.raw(), self.raw(), a.raw(), ctx) == 1 }) } } pub fn checked_div(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_div(r.raw(), ptr::mut_null(), self.raw(), a.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_div(r.raw(), ptr::null_mut(), self.raw(), a.raw(), ctx) == 1 }) } } pub fn checked_mod(&self, a: &BigNum) -> Result<BigNum, SslError> { unsafe { - with_bn_in_ctx!(r, ctx, { BN_div(ptr::mut_null(), r.raw(), self.raw(), a.raw(), ctx) == 1 }) + with_bn_in_ctx!(r, ctx, { ffi::BN_div(ptr::null_mut(), r.raw(), self.raw(), a.raw(), ctx) == 1 }) } } pub fn checked_shl(&self, a: &i32) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_lshift(r.raw(), self.raw(), *a as c_int) == 1 }) + with_bn!(r, { ffi::BN_lshift(r.raw(), self.raw(), *a as c_int) == 1 }) } } pub fn checked_shr(&self, a: &i32) -> Result<BigNum, SslError> { unsafe { - with_bn!(r, { BN_rshift(r.raw(), self.raw(), *a as c_int) == 1 }) + with_bn!(r, { ffi::BN_rshift(r.raw(), self.raw(), *a as c_int) == 1 }) } } pub fn negate(&mut self) { unsafe { - BN_set_negative(self.raw(), !self.is_negative() as c_int) + ffi::BN_set_negative(self.raw(), !self.is_negative() as c_int) } } pub fn abs_cmp(&self, oth: BigNum) -> Ordering { unsafe { - let res = BN_ucmp(self.raw(), oth.raw()) as i32; + let res = ffi::BN_ucmp(self.raw(), oth.raw()) as i32; if res < 0 { Less } else if res > 0 { @@ -413,7 +327,7 @@ impl BigNum { pub fn num_bits(&self) -> i32 { unsafe { - BN_num_bits(self.raw()) as i32 + ffi::BN_num_bits(self.raw()) as i32 } } @@ -421,7 +335,7 @@ impl BigNum { (self.num_bits() + 7) / 8 } - unsafe fn raw(&self) -> *mut BIGNUM { + unsafe fn raw(&self) -> *mut ffi::BIGNUM { let BigNum(n) = *self; n } @@ -430,7 +344,7 @@ impl BigNum { let size = self.num_bytes() as uint; let mut v = Vec::with_capacity(size); unsafe { - BN_bn2bin(self.raw(), v.as_mut_ptr()); + ffi::BN_bn2bin(self.raw(), v.as_mut_ptr()); v.set_len(size); } v @@ -438,11 +352,11 @@ impl BigNum { pub fn to_dec_str(&self) -> String { unsafe { - let buf = BN_bn2dec(self.raw()); + let buf = ffi::BN_bn2dec(self.raw()); assert!(!buf.is_null()); let c_str = CString::new(buf, false); let str = c_str.as_str().unwrap().to_string(); - CRYPTO_free(buf); + ffi::CRYPTO_free(buf as *mut c_void); str } } @@ -454,28 +368,11 @@ impl fmt::Show for BigNum { } } -impl One for BigNum { - fn one() -> BigNum { - BigNum::new_from(1).unwrap() - } -} - -impl Zero for BigNum { - fn zero() -> BigNum { - BigNum::new_from(0).unwrap() - } - fn is_zero(&self) -> bool { - unsafe { - BN_is_zero(self.raw()) == 1 - } - } -} - impl Eq for BigNum { } impl PartialEq for BigNum { fn eq(&self, oth: &BigNum) -> bool { unsafe { - BN_cmp(self.raw(), oth.raw()) == 0 + ffi::BN_cmp(self.raw(), oth.raw()) == 0 } } } @@ -489,7 +386,7 @@ impl Ord for BigNum { impl PartialOrd for BigNum { fn partial_cmp(&self, oth: &BigNum) -> Option<Ordering> { unsafe { - let v = BN_cmp(self.raw(), oth.raw()); + let v = ffi::BN_cmp(self.raw(), oth.raw()); let ret = if v == 0 { Equal @@ -507,18 +404,15 @@ impl Drop for BigNum { fn drop(&mut self) { unsafe { if !self.raw().is_null() { - BN_clear_free(self.raw()); + ffi::BN_clear_free(self.raw()); } } } } pub mod unchecked { - use super::{BIGNUM, BigNum}; - - extern { - fn BN_dup(n: *mut BIGNUM) -> *mut BIGNUM; - } + use ffi; + use super::{BigNum}; impl Add<BigNum, BigNum> for BigNum { fn add(&self, oth: &BigNum) -> BigNum { @@ -565,9 +459,9 @@ pub mod unchecked { impl Clone for BigNum { fn clone(&self) -> BigNum { unsafe { - let r = BN_dup(self.raw()); + let r = ffi::BN_dup(self.raw()); if r.is_null() { - fail!("Unexpected null pointer from BN_dup(..)") + panic!("Unexpected null pointer from BN_dup(..)") } else { BigNum(r) } diff --git a/src/crypto/hash.rs b/src/crypto/hash.rs index 4a4031e2..b5d0eab5 100644 --- a/src/crypto/hash.rs +++ b/src/crypto/hash.rs @@ -1,6 +1,8 @@ -use libc; use libc::c_uint; use std::ptr; +use std::io; + +use ffi; pub enum HashType { MD5, @@ -12,80 +14,75 @@ pub enum HashType { RIPEMD160 } -#[allow(dead_code)] -#[allow(non_camel_case_types)] -#[repr(C)] -pub struct EVP_MD_CTX { - digest: *mut EVP_MD, - engine: *mut libc::c_void, - flags: libc::c_ulong, - md_data: *mut libc::c_void, - pctx: *mut EVP_PKEY_CTX, - update: *mut libc::c_void +pub fn evpmd(t: HashType) -> (*const ffi::EVP_MD, uint) { + unsafe { + match t { + HashType::MD5 => (ffi::EVP_md5(), 16u), + HashType::SHA1 => (ffi::EVP_sha1(), 20u), + HashType::SHA224 => (ffi::EVP_sha224(), 28u), + HashType::SHA256 => (ffi::EVP_sha256(), 32u), + HashType::SHA384 => (ffi::EVP_sha384(), 48u), + HashType::SHA512 => (ffi::EVP_sha512(), 64u), + HashType::RIPEMD160 => (ffi::EVP_ripemd160(), 20u), + } + } } -#[allow(non_camel_case_types)] -#[repr(C)] -pub struct EVP_MD; - -#[allow(non_camel_case_types)] -#[repr(C)] -pub struct EVP_PKEY_CTX; - -#[link(name = "crypto")] -extern { - fn EVP_MD_CTX_create() -> *mut EVP_MD_CTX; - fn EVP_MD_CTX_destroy(ctx: *mut EVP_MD_CTX); - - fn EVP_md5() -> *const EVP_MD; - fn EVP_sha1() -> *const EVP_MD; - fn EVP_sha224() -> *const EVP_MD; - fn EVP_sha256() -> *const EVP_MD; - fn EVP_sha384() -> *const EVP_MD; - fn EVP_sha512() -> *const EVP_MD; - fn EVP_ripemd160() -> *const EVP_MD; - - fn EVP_DigestInit(ctx: *mut EVP_MD_CTX, typ: *const EVP_MD); - fn EVP_DigestUpdate(ctx: *mut EVP_MD_CTX, data: *const u8, n: c_uint); - fn EVP_DigestFinal(ctx: *mut EVP_MD_CTX, res: *mut u8, n: *mut u32); +pub struct HasherContext { + ptr: *mut ffi::EVP_MD_CTX } -pub fn evpmd(t: HashType) -> (*const EVP_MD, uint) { - unsafe { - match t { - MD5 => (EVP_md5(), 16u), - SHA1 => (EVP_sha1(), 20u), - SHA224 => (EVP_sha224(), 28u), - SHA256 => (EVP_sha256(), 32u), - SHA384 => (EVP_sha384(), 48u), - SHA512 => (EVP_sha512(), 64u), - RIPEMD160 => (EVP_ripemd160(), 20u), +impl HasherContext { + pub fn new() -> HasherContext { + ffi::init(); + + unsafe { + HasherContext { ptr: ffi::EVP_MD_CTX_create() } + } + } +} + +impl Drop for HasherContext { + fn drop(&mut self) { + unsafe { + ffi::EVP_MD_CTX_destroy(self.ptr); } } } #[allow(dead_code)] pub struct Hasher { - evp: *const EVP_MD, - ctx: *mut EVP_MD_CTX, + evp: *const ffi::EVP_MD, + ctx: HasherContext, len: uint, } +impl io::Writer for Hasher { + fn write(&mut self, buf: &[u8]) -> io::IoResult<()> { + self.update(buf); + Ok(()) + } +} + impl Hasher { pub fn new(ht: HashType) -> Hasher { - let ctx = unsafe { EVP_MD_CTX_create() }; + let ctx = HasherContext::new(); + Hasher::with_context(ctx, ht) + } + + pub fn with_context(ctx: HasherContext, ht: HashType) -> Hasher { let (evp, mdlen) = evpmd(ht); unsafe { - EVP_DigestInit(ctx, evp); + ffi::EVP_DigestInit_ex(ctx.ptr, evp, 0 as *const _); } Hasher { evp: evp, ctx: ctx, len: mdlen } } /// Update this hasher with more input bytes - pub fn update(&self, data: &[u8]) { + pub fn update(&mut self, data: &[u8]) { unsafe { - EVP_DigestUpdate(self.ctx, data.as_ptr(), data.len() as c_uint) + ffi::EVP_DigestUpdate(self.ctx.ptr, data.as_ptr(), data.len() as c_uint) } } @@ -93,20 +90,21 @@ impl Hasher { * Return the digest of all bytes added to this hasher since its last * initialization */ - pub fn final(&self) -> Vec<u8> { - unsafe { - let mut res = Vec::from_elem(self.len, 0u8); - EVP_DigestFinal(self.ctx, res.as_mut_ptr(), ptr::null_mut()); - res - } + pub fn finalize(self) -> Vec<u8> { + let (res, _) = self.finalize_reuse(); + res } -} -impl Drop for Hasher { - fn drop(&mut self) { + /** + * Return the digest of all bytes added to this hasher since its last + * initialization and its context for reuse + */ + pub fn finalize_reuse(self) -> (Vec<u8>, HasherContext) { + let mut res = Vec::from_elem(self.len, 0u8); unsafe { - EVP_MD_CTX_destroy(self.ctx); - } + ffi::EVP_DigestFinal_ex(self.ctx.ptr, res.as_mut_ptr(), ptr::null_mut()) + }; + (res, self.ctx) } } @@ -115,9 +113,9 @@ impl Drop for Hasher { * value */ pub fn hash(t: HashType, data: &[u8]) -> Vec<u8> { - let h = Hasher::new(t); + let mut h = Hasher::new(t); h.update(data); - h.final() + h.finalize() } #[cfg(test)] @@ -135,9 +133,7 @@ mod tests { expected_output: output.to_string() } } - fn hash_test(hashtype: super::HashType, hashtest: &HashTest) { - let calced_raw = super::hash(hashtype, hashtest.input.as_slice()); - + fn compare(calced_raw: Vec<u8>, hashtest: &HashTest) { let calced = calced_raw.as_slice().to_hex().into_string(); if calced != hashtest.expected_output { @@ -147,6 +143,28 @@ mod tests { assert!(calced == hashtest.expected_output); } + fn hash_test(hashtype: super::HashType, hashtest: &HashTest) { + let calced_raw = super::hash(hashtype, hashtest.input.as_slice()); + compare(calced_raw, hashtest); + } + + fn hash_reuse_test(ctx: super::HasherContext, hashtype: super::HashType, + hashtest: &HashTest) -> super::HasherContext { + let mut h = super::Hasher::with_context(ctx, hashtype); + h.update(hashtest.input.as_slice()); + let (calced_raw, ctx) = h.finalize_reuse(); + + compare(calced_raw, hashtest); + + ctx + } + + pub fn hash_writer(t: super::HashType, data: &[u8]) -> Vec<u8> { + let mut h = super::Hasher::new(t); + h.write(data).unwrap(); + h.finalize() + } + // Test vectors from http://www.nsrl.nist.gov/testdata/ #[test] fn test_md5() { @@ -165,8 +183,10 @@ mod tests { HashTest("A510CD18F7A56852EB0319", "577e216843dd11573574d3fb209b97d8"), HashTest("AAED18DBE8938C19ED734A8D", "6f80fb775f27e0a4ce5c2f42fc72c5f1")]; + let mut ctx = super::HasherContext::new(); + for test in tests.iter() { - hash_test(super::MD5, test); + ctx = hash_reuse_test(ctx, super::HashType::MD5, test); } } @@ -177,7 +197,7 @@ mod tests { ]; for test in tests.iter() { - hash_test(super::SHA1, test); + hash_test(super::HashType::SHA1, test); } } @@ -188,7 +208,7 @@ mod tests { ]; for test in tests.iter() { - hash_test(super::SHA256, test); + hash_test(super::HashType::SHA256, test); } } @@ -199,7 +219,14 @@ mod tests { ]; for test in tests.iter() { - hash_test(super::RIPEMD160, test); + hash_test(super::HashType::RIPEMD160, test); } } + + #[test] + fn test_writer() { + let tv = "rust-openssl".as_bytes(); + let ht = super::HashType::RIPEMD160; + assert!(hash_writer(ht, tv) == super::hash(ht, tv)); + } } diff --git a/src/crypto/hmac.rs b/src/crypto/hmac.rs index 5bf62586..a7a854b7 100644 --- a/src/crypto/hmac.rs +++ b/src/crypto/hmac.rs @@ -14,50 +14,30 @@ * limitations under the License. */ -use libc::{c_uchar, c_int, c_uint}; -use crypto::hash; - -#[allow(dead_code)] -#[allow(non_camel_case_types)] -#[repr(C)] -pub struct HMAC_CTX { - md: *mut hash::EVP_MD, - md_ctx: hash::EVP_MD_CTX, - i_ctx: hash::EVP_MD_CTX, - o_ctx: hash::EVP_MD_CTX, - key_length: c_uint, - key: [c_uchar, ..128] -} +use libc::{c_int, c_uint}; -#[link(name = "crypto")] -extern { - fn HMAC_CTX_init(ctx: *mut HMAC_CTX); - fn HMAC_Init_ex(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const hash::EVP_MD, imple: *const ENGINE); - fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint); - fn HMAC_Final(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint); -} - -#[allow(non_camel_case_types)] -#[repr(C)] -struct ENGINE; +use crypto::hash; +use ffi; pub struct HMAC { - ctx: HMAC_CTX, + ctx: ffi::HMAC_CTX, len: uint, } #[allow(non_snake_case)] pub fn HMAC(ht: hash::HashType, key: &[u8]) -> HMAC { unsafe { + ffi::init(); + let (evp, mdlen) = hash::evpmd(ht); - let mut ctx : HMAC_CTX = ::std::mem::uninitialized(); + let mut ctx : ffi::HMAC_CTX = ::std::mem::uninitialized(); - HMAC_CTX_init(&mut ctx); - HMAC_Init_ex(&mut ctx, - key.as_ptr(), - key.len() as c_int, - evp, 0 as *const _); + ffi::HMAC_CTX_init(&mut ctx); + ffi::HMAC_Init_ex(&mut ctx, + key.as_ptr(), + key.len() as c_int, + evp, 0 as *const _); HMAC { ctx: ctx, len: mdlen } } @@ -66,15 +46,15 @@ pub fn HMAC(ht: hash::HashType, key: &[u8]) -> HMAC { impl HMAC { pub fn update(&mut self, data: &[u8]) { unsafe { - HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint) + ffi::HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint) } } - pub fn final(&mut self) -> Vec<u8> { + pub fn finalize(&mut self) -> Vec<u8> { unsafe { let mut res = Vec::from_elem(self.len, 0u8); let mut outlen = 0; - HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut outlen); + ffi::HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut outlen); assert!(self.len == outlen as uint) res } @@ -84,7 +64,7 @@ impl HMAC { #[cfg(test)] mod tests { use serialize::hex::FromHex; - use crypto::hash::{HashType, MD5, SHA1, SHA224, SHA256, SHA384, SHA512}; + use crypto::hash::HashType::{mod, MD5, SHA1, SHA224, SHA256, SHA384, SHA512}; use super::HMAC; #[test] @@ -116,7 +96,7 @@ mod tests { for &(ref key, ref data, ref res) in tests.iter() { let mut hmac = HMAC(MD5, key.as_slice()); hmac.update(data.as_slice()); - assert_eq!(hmac.final(), *res); + assert_eq!(hmac.finalize(), *res); } } @@ -149,7 +129,7 @@ mod tests { for &(ref key, ref data, ref res) in tests.iter() { let mut hmac = HMAC(SHA1, key.as_slice()); hmac.update(data.as_slice()); - assert_eq!(hmac.final(), *res); + assert_eq!(hmac.finalize(), *res); } } @@ -173,7 +153,7 @@ mod tests { for (&(ref key, ref data), res) in tests.iter().zip(results.iter()) { let mut hmac = HMAC(ty, key.as_slice()); hmac.update(data.as_slice()); - assert_eq!(hmac.final(), *res); + assert_eq!(hmac.finalize(), *res); } } @@ -187,7 +167,7 @@ mod tests { "95e9a0db962095adaebe9b2d6f0dbce2d499f112f2d2b7273fa6870e".from_hex().unwrap(), "3a854166ac5d9f023f54d517d0b39dbd946770db9c2b95c9f6f565d1".from_hex().unwrap() ]; - test_sha2(SHA224, results); + test_sha2(SHA224, &results); } #[test] @@ -200,7 +180,7 @@ mod tests { "60e431591ee0b67f0d8a26aacbf5b77f8e0bc6213728c5140546040f0ee37f54".from_hex().unwrap(), "9b09ffa71b942fcb27635fbcd5b0e944bfdc63644f0713938a7f51535c3a35e2".from_hex().unwrap() ]; - test_sha2(SHA256, results); + test_sha2(SHA256, &results); } #[test] @@ -225,7 +205,7 @@ mod tests { 602420feb0b8fb9adccebb82461e99c5\ a678cc31e799176d3860e6110c46523e".from_hex().unwrap() ]; - test_sha2(SHA384, results); + test_sha2(SHA384, &results); } #[test] @@ -256,6 +236,6 @@ mod tests { b6022cac3c4982b10d5eeb55c3e4de15\ 134676fb6de0446065c97440fa8c6a58".from_hex().unwrap() ]; - test_sha2(SHA512, results); + test_sha2(SHA512, &results); } } diff --git a/src/crypto/memcmp.rs b/src/crypto/memcmp.rs new file mode 100644 index 00000000..299effa9 --- /dev/null +++ b/src/crypto/memcmp.rs @@ -0,0 +1,39 @@ +use libc::size_t; +use ffi; + +/// Returns `true` iff `a` and `b` contain the same bytes. +/// +/// This operation takes an amount of time dependent on the length of the two +/// arrays given, but is independent of the contents of a and b. +/// +/// # Failure +/// +/// This function will panic the current task if `a` and `b` do not have the same +/// length. +pub fn eq(a: &[u8], b: &[u8]) -> bool { + assert!(a.len() == b.len()); + let ret = unsafe { + ffi::CRYPTO_memcmp(a.as_ptr() as *const _, + b.as_ptr() as *const _, + a.len() as size_t) + }; + ret == 0 +} + +#[cfg(test)] +mod tests { + use super::eq; + + #[test] + fn test_eq() { + assert!(eq(&[], &[])); + assert!(eq(&[1], &[1])); + assert!(!eq(&[1, 2, 3], &[1, 2, 4])); + } + + #[test] + #[should_fail] + fn test_diff_lens() { + eq(&[], &[1]); + } +} diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index d7c62f98..e695de33 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -21,3 +21,4 @@ pub mod pkcs5; pub mod pkey; pub mod rand; pub mod symm; +pub mod memcmp; diff --git a/src/crypto/pkcs5.rs b/src/crypto/pkcs5.rs index b795d84a..6efd23ff 100644 --- a/src/crypto/pkcs5.rs +++ b/src/crypto/pkcs5.rs @@ -1,12 +1,5 @@ use libc::c_int; - -#[link(name = "crypto")] -extern { - fn PKCS5_PBKDF2_HMAC_SHA1(pass: *const u8, passlen: c_int, - salt: *const u8, saltlen: c_int, - iter: c_int, keylen: c_int, - out: *mut u8) -> c_int; -} +use ffi; /// Derives a key from a password and salt using the PBKDF2-HMAC-SHA1 algorithm. pub fn pbkdf2_hmac_sha1(pass: &str, salt: &[u8], iter: uint, keylen: uint) -> Vec<u8> { @@ -16,13 +9,15 @@ pub fn pbkdf2_hmac_sha1(pass: &str, salt: &[u8], iter: uint, keylen: uint) -> Ve let mut out = Vec::with_capacity(keylen); - let r = PKCS5_PBKDF2_HMAC_SHA1( + ffi::init(); + + let r = ffi::PKCS5_PBKDF2_HMAC_SHA1( pass.as_ptr(), pass.len() as c_int, salt.as_ptr(), salt.len() as c_int, iter as c_int, keylen as c_int, out.as_mut_ptr()); - if r != 1 { fail!(); } + if r != 1 { panic!(); } out.set_len(keylen); diff --git a/src/crypto/pkey.rs b/src/crypto/pkey.rs index d4a98713..146d2aa3 100644 --- a/src/crypto/pkey.rs +++ b/src/crypto/pkey.rs @@ -1,40 +1,11 @@ -use libc::{c_char, c_int, c_uint}; -use libc; +use libc::{c_int, c_uint}; use std::mem; use std::ptr; -use crypto::hash::{HashType, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD160}; - -#[allow(non_camel_case_types)] -pub type EVP_PKEY = *mut libc::c_void; - -#[allow(non_camel_case_types)] -pub type RSA = *mut libc::c_void; - -#[link(name = "crypto")] -extern { - fn EVP_PKEY_new() -> *mut EVP_PKEY; - fn EVP_PKEY_free(k: *mut EVP_PKEY); - fn EVP_PKEY_assign(pkey: *mut EVP_PKEY, typ: c_int, key: *const c_char) -> c_int; - fn EVP_PKEY_get1_RSA(k: *mut EVP_PKEY) -> *mut RSA; - fn EVP_PKEY_set1_RSA(k: *mut EVP_PKEY, r: *mut RSA) -> c_int; - - fn i2d_RSA_PUBKEY(k: *mut RSA, buf: *const *mut u8) -> c_int; - fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA; - fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int; - fn d2i_RSAPrivateKey(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA; - - fn RSA_generate_key(modsz: c_uint, e: c_uint, cb: *const u8, cbarg: *const u8) -> *mut RSA; - fn RSA_size(k: *mut RSA) -> c_uint; - - fn RSA_public_encrypt(flen: c_uint, from: *const u8, to: *mut u8, k: *mut RSA, - pad: c_int) -> c_int; - fn RSA_private_decrypt(flen: c_uint, from: *const u8, to: *mut u8, k: *mut RSA, - pad: c_int) -> c_int; - fn RSA_sign(t: c_int, m: *const u8, mlen: c_uint, sig: *mut u8, siglen: *mut c_uint, - k: *mut RSA) -> c_int; - fn RSA_verify(t: c_int, m: *const u8, mlen: c_uint, sig: *const u8, siglen: c_uint, - k: *mut RSA) -> c_int; -} +use bio::{MemBio}; +use crypto::hash::HashType; +use ffi; +use ssl::error::{SslError, StreamError}; + enum Parts { Neither, @@ -58,25 +29,25 @@ pub enum EncryptionPadding { fn openssl_padding_code(padding: EncryptionPadding) -> c_int { match padding { - OAEP => 4, - PKCS1v15 => 1 + EncryptionPadding::OAEP => 4, + EncryptionPadding::PKCS1v15 => 1 } } fn openssl_hash_nid(hash: HashType) -> c_int { match hash { - MD5 => 4, // NID_md5, - SHA1 => 64, // NID_sha1 - SHA224 => 675, // NID_sha224 - SHA256 => 672, // NID_sha256 - SHA384 => 673, // NID_sha384 - SHA512 => 674, // NID_sha512 - RIPEMD160 => 117, // NID_ripemd160 + HashType::MD5 => 4, // NID_md5, + HashType::SHA1 => 64, // NID_sha1 + HashType::SHA224 => 675, // NID_sha224 + HashType::SHA256 => 672, // NID_sha256 + HashType::SHA384 => 673, // NID_sha384 + HashType::SHA512 => 674, // NID_sha512 + HashType::RIPEMD160 => 117, // NID_ripemd160 } } pub struct PKey { - evp: *mut EVP_PKEY, + evp: *mut ffi::EVP_PKEY, parts: Parts, } @@ -84,16 +55,18 @@ pub struct PKey { impl PKey { pub fn new() -> PKey { unsafe { + ffi::init(); + PKey { - evp: EVP_PKEY_new(), - parts: Neither, + evp: ffi::EVP_PKEY_new(), + parts: Parts::Neither, } } } - fn _tostr(&self, f: unsafe extern "C" fn(*mut RSA, *const *mut u8) -> c_int) -> Vec<u8> { + fn _tostr(&self, f: unsafe extern "C" fn(*mut ffi::RSA, *const *mut u8) -> c_int) -> Vec<u8> { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); let len = f(rsa, ptr::null()); if len < 0 as c_int { return vec!(); } let mut s = Vec::from_elem(len as uint, 0u8); @@ -105,17 +78,17 @@ impl PKey { } } - fn _fromstr(&mut self, s: &[u8], f: unsafe extern "C" fn(*const *mut RSA, *const *const u8, c_uint) -> *mut RSA) { + fn _fromstr(&mut self, s: &[u8], f: unsafe extern "C" fn(*const *mut ffi::RSA, *const *const u8, c_uint) -> *mut ffi::RSA) { unsafe { let rsa = ptr::null_mut(); f(&rsa, &s.as_ptr(), s.len() as c_uint); - EVP_PKEY_set1_RSA(self.evp, rsa); + ffi::EVP_PKEY_set1_RSA(self.evp, rsa); } } pub fn gen(&mut self, keysz: uint) { unsafe { - let rsa = RSA_generate_key( + let rsa = ffi::RSA_generate_key( keysz as c_uint, 65537u as c_uint, ptr::null(), @@ -123,12 +96,12 @@ impl PKey { ); // XXX: 6 == NID_rsaEncryption - EVP_PKEY_assign( + ffi::EVP_PKEY_assign( self.evp, 6 as c_int, mem::transmute(rsa)); - self.parts = Both; + self.parts = Parts::Both; } } @@ -136,15 +109,15 @@ impl PKey { * Returns a serialized form of the public key, suitable for load_pub(). */ pub fn save_pub(&self) -> Vec<u8> { - self._tostr(i2d_RSA_PUBKEY) + self._tostr(ffi::i2d_RSA_PUBKEY) } /** * Loads a serialized form of the public key, as produced by save_pub(). */ pub fn load_pub(&mut self, s: &[u8]) { - self._fromstr(s, d2i_RSA_PUBKEY); - self.parts = Public; + self._fromstr(s, ffi::d2i_RSA_PUBKEY); + self.parts = Parts::Public; } /** @@ -152,15 +125,28 @@ impl PKey { * load_priv(). */ pub fn save_priv(&self) -> Vec<u8> { - self._tostr(i2d_RSAPrivateKey) + self._tostr(ffi::i2d_RSAPrivateKey) } /** * Loads a serialized form of the public and private keys, as produced by * save_priv(). */ pub fn load_priv(&mut self, s: &[u8]) { - self._fromstr(s, d2i_RSAPrivateKey); - self.parts = Both; + self._fromstr(s, ffi::d2i_RSAPrivateKey); + self.parts = Parts::Both; + } + + /// Stores private key as a PEM + // FIXME: also add password and encryption + pub fn write_pem(&self, writer: &mut Writer/*, password: Option<String>*/) -> Result<(), SslError> { + let mut mem_bio = try!(MemBio::new()); + unsafe { + try_ssl!(ffi::PEM_write_bio_PrivateKey(mem_bio.get_handle(), self.evp, ptr::null(), + ptr::null_mut(), -1, None, ptr::null_mut())); + + } + let buf = try!(mem_bio.read_to_end().map_err(StreamError)); + writer.write(buf.as_slice()).map_err(StreamError) } /** @@ -168,7 +154,7 @@ impl PKey { */ pub fn size(&self) -> uint { unsafe { - RSA_size(EVP_PKEY_get1_RSA(self.evp)) as uint + ffi::RSA_size(ffi::EVP_PKEY_get1_RSA(self.evp)) as uint } } @@ -177,24 +163,24 @@ impl PKey { */ pub fn can(&self, r: Role) -> bool { match r { - Encrypt => + Role::Encrypt => match self.parts { - Neither => false, + Parts::Neither => false, _ => true, }, - Verify => + Role::Verify => match self.parts { - Neither => false, + Parts::Neither => false, _ => true, }, - Decrypt => + Role::Decrypt => match self.parts { - Both => true, + Parts::Both => true, _ => false, }, - Sign => + Role::Sign => match self.parts { - Both => true, + Parts::Both => true, _ => false, }, } @@ -206,8 +192,8 @@ impl PKey { */ pub fn max_data(&self) -> uint { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); - let len = RSA_size(rsa); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + let len = ffi::RSA_size(rsa); // 41 comes from RSA_public_encrypt(3) for OAEP len as uint - 41u @@ -216,14 +202,14 @@ impl PKey { pub fn encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); - let len = RSA_size(rsa); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + let len = ffi::RSA_size(rsa); assert!(s.len() < self.max_data()); let mut r = Vec::from_elem(len as uint + 1u, 0u8); - let rv = RSA_public_encrypt( + let rv = ffi::RSA_public_encrypt( s.len() as c_uint, s.as_ptr(), r.as_mut_ptr(), @@ -241,14 +227,14 @@ impl PKey { pub fn decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec<u8> { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); - let len = RSA_size(rsa); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + let len = ffi::RSA_size(rsa); - assert_eq!(s.len() as c_uint, RSA_size(rsa)); + assert_eq!(s.len() as c_uint, ffi::RSA_size(rsa)); let mut r = Vec::from_elem(len as uint + 1u, 0u8); - let rv = RSA_private_decrypt( + let rv = ffi::RSA_private_decrypt( s.len() as c_uint, s.as_ptr(), r.as_mut_ptr(), @@ -268,32 +254,32 @@ impl PKey { * Encrypts data using OAEP padding, returning the encrypted data. The * supplied data must not be larger than max_data(). */ - pub fn encrypt(&self, s: &[u8]) -> Vec<u8> { self.encrypt_with_padding(s, OAEP) } + pub fn encrypt(&self, s: &[u8]) -> Vec<u8> { self.encrypt_with_padding(s, EncryptionPadding::OAEP) } /** * Decrypts data, expecting OAEP padding, returning the decrypted data. */ - pub fn decrypt(&self, s: &[u8]) -> Vec<u8> { self.decrypt_with_padding(s, OAEP) } + pub fn decrypt(&self, s: &[u8]) -> Vec<u8> { self.decrypt_with_padding(s, EncryptionPadding::OAEP) } /** * Signs data, using OpenSSL's default scheme and sha256. Unlike encrypt(), * can process an arbitrary amount of data; returns the signature. */ - pub fn sign(&self, s: &[u8]) -> Vec<u8> { self.sign_with_hash(s, SHA256) } + pub fn sign(&self, s: &[u8]) -> Vec<u8> { self.sign_with_hash(s, HashType::SHA256) } /** * Verifies a signature s (using OpenSSL's default scheme and sha256) on a * message m. Returns true if the signature is valid, and false otherwise. */ - pub fn verify(&self, m: &[u8], s: &[u8]) -> bool { self.verify_with_hash(m, s, SHA256) } + pub fn verify(&self, m: &[u8], s: &[u8]) -> bool { self.verify_with_hash(m, s, HashType::SHA256) } pub fn sign_with_hash(&self, s: &[u8], hash: HashType) -> Vec<u8> { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); - let mut len = RSA_size(rsa); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + let mut len = ffi::RSA_size(rsa); let mut r = Vec::from_elem(len as uint + 1u, 0u8); - let rv = RSA_sign( + let rv = ffi::RSA_sign( openssl_hash_nid(hash), s.as_ptr(), s.len() as c_uint, @@ -312,9 +298,9 @@ impl PKey { pub fn verify_with_hash(&self, m: &[u8], s: &[u8], hash: HashType) -> bool { unsafe { - let rsa = EVP_PKEY_get1_RSA(self.evp); + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); - let rv = RSA_verify( + let rv = ffi::RSA_verify( openssl_hash_nid(hash), m.as_ptr(), m.len() as c_uint, @@ -326,19 +312,23 @@ impl PKey { rv == 1 as c_int } } + + pub unsafe fn get_handle(&self) -> *mut ffi::EVP_PKEY { + return self.evp + } } impl Drop for PKey { fn drop(&mut self) { unsafe { - EVP_PKEY_free(self.evp); + ffi::EVP_PKEY_free(self.evp); } } } #[cfg(test)] mod tests { - use crypto::hash::{MD5, SHA1}; + use crypto::hash::HashType::{MD5, SHA1}; #[test] fn test_gen_pub() { @@ -348,14 +338,14 @@ mod tests { k1.load_pub(k0.save_pub().as_slice()); assert_eq!(k0.save_pub(), k1.save_pub()); assert_eq!(k0.size(), k1.size()); - assert!(k0.can(super::Encrypt)); - assert!(k0.can(super::Decrypt)); - assert!(k0.can(super::Verify)); - assert!(k0.can(super::Sign)); - assert!(k1.can(super::Encrypt)); - assert!(!k1.can(super::Decrypt)); - assert!(k1.can(super::Verify)); - assert!(!k1.can(super::Sign)); + assert!(k0.can(super::Role::Encrypt)); + assert!(k0.can(super::Role::Decrypt)); + assert!(k0.can(super::Role::Verify)); + assert!(k0.can(super::Role::Sign)); + assert!(k1.can(super::Role::Encrypt)); + assert!(!k1.can(super::Role::Decrypt)); + assert!(k1.can(super::Role::Verify)); + assert!(!k1.can(super::Role::Sign)); } #[test] @@ -366,14 +356,14 @@ mod tests { k1.load_priv(k0.save_priv().as_slice()); assert_eq!(k0.save_priv(), k1.save_priv()); assert_eq!(k0.size(), k1.size()); - assert!(k0.can(super::Encrypt)); - assert!(k0.can(super::Decrypt)); - assert!(k0.can(super::Verify)); - assert!(k0.can(super::Sign)); - assert!(k1.can(super::Encrypt)); - assert!(k1.can(super::Decrypt)); - assert!(k1.can(super::Verify)); - assert!(k1.can(super::Sign)); + assert!(k0.can(super::Role::Encrypt)); + assert!(k0.can(super::Role::Decrypt)); + assert!(k0.can(super::Role::Verify)); + assert!(k0.can(super::Role::Sign)); + assert!(k1.can(super::Role::Encrypt)); + assert!(k1.can(super::Role::Decrypt)); + assert!(k1.can(super::Role::Verify)); + assert!(k1.can(super::Role::Sign)); } #[test] @@ -395,8 +385,8 @@ mod tests { let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8); k0.gen(512u); k1.load_pub(k0.save_pub().as_slice()); - let emsg = k1.encrypt_with_padding(msg.as_slice(), super::PKCS1v15); - let dmsg = k0.decrypt_with_padding(emsg.as_slice(), super::PKCS1v15); + let emsg = k1.encrypt_with_padding(msg.as_slice(), super::EncryptionPadding::PKCS1v15); + let dmsg = k0.decrypt_with_padding(emsg.as_slice(), super::EncryptionPadding::PKCS1v15); assert!(msg == dmsg); } diff --git a/src/crypto/rand.rs b/src/crypto/rand.rs index 9db87fcd..92d38f2c 100644 --- a/src/crypto/rand.rs +++ b/src/crypto/rand.rs @@ -1,16 +1,13 @@ use libc::c_int; - -#[link(name = "crypto")] -extern { - fn RAND_bytes(buf: *mut u8, num: c_int) -> c_int; -} +use ffi; pub fn rand_bytes(len: uint) -> Vec<u8> { unsafe { let mut out = Vec::with_capacity(len); - let r = RAND_bytes(out.as_mut_ptr(), len as c_int); - if r != 1 as c_int { fail!() } + ffi::init(); + let r = ffi::RAND_bytes(out.as_mut_ptr(), len as c_int); + if r != 1 as c_int { panic!() } out.set_len(len); diff --git a/src/crypto/symm.rs b/src/crypto/symm.rs index 6bba7267..998d351c 100644 --- a/src/crypto/symm.rs +++ b/src/crypto/symm.rs @@ -1,36 +1,6 @@ -use libc::{c_int, c_uint}; -use libc; +use libc::{c_int}; -#[allow(non_camel_case_types)] -pub type EVP_CIPHER_CTX = *mut libc::c_void; - -#[allow(non_camel_case_types)] -pub type EVP_CIPHER = *mut libc::c_void; - -#[link(name = "crypto")] -extern { - fn EVP_CIPHER_CTX_new() -> EVP_CIPHER_CTX; - fn EVP_CIPHER_CTX_set_padding(ctx: EVP_CIPHER_CTX, padding: c_int); - fn EVP_CIPHER_CTX_free(ctx: EVP_CIPHER_CTX); - - fn EVP_aes_128_ecb() -> EVP_CIPHER; - fn EVP_aes_128_cbc() -> EVP_CIPHER; - // fn EVP_aes_128_ctr() -> EVP_CIPHER; - // fn EVP_aes_128_gcm() -> EVP_CIPHER; - - fn EVP_aes_256_ecb() -> EVP_CIPHER; - fn EVP_aes_256_cbc() -> EVP_CIPHER; - // fn EVP_aes_256_ctr() -> EVP_CIPHER; - // fn EVP_aes_256_gcm() -> EVP_CIPHER; - - fn EVP_rc4() -> EVP_CIPHER; - - fn EVP_CipherInit(ctx: EVP_CIPHER_CTX, evp: EVP_CIPHER, - key: *const u8, iv: *const u8, mode: c_int); - fn EVP_CipherUpdate(ctx: EVP_CIPHER_CTX, outbuf: *mut u8, - outlen: &mut c_uint, inbuf: *const u8, inlen: c_int); - fn EVP_CipherFinal(ctx: EVP_CIPHER_CTX, res: *mut u8, len: &mut c_int); -} +use ffi; pub enum Mode { Encrypt, @@ -41,46 +11,58 @@ pub enum Mode { pub enum Type { AES_128_ECB, AES_128_CBC, + /// Requires the `aes_xts` feature + #[cfg(feature = "aes_xts")] + AES_128_XTS, // AES_128_CTR, //AES_128_GCM, AES_256_ECB, AES_256_CBC, + /// Requires the `aes_xts` feature + #[cfg(feature = "aes_xts")] + AES_256_XTS, // AES_256_CTR, //AES_256_GCM, RC4_128, } -fn evpc(t: Type) -> (EVP_CIPHER, uint, uint) { +fn evpc(t: Type) -> (*const ffi::EVP_CIPHER, uint, uint) { unsafe { match t { - AES_128_ECB => (EVP_aes_128_ecb(), 16u, 16u), - AES_128_CBC => (EVP_aes_128_cbc(), 16u, 16u), + Type::AES_128_ECB => (ffi::EVP_aes_128_ecb(), 16u, 16u), + Type::AES_128_CBC => (ffi::EVP_aes_128_cbc(), 16u, 16u), + #[cfg(feature = "aes_xts")] + Type::AES_128_XTS => (ffi::EVP_aes_128_xts(), 32u, 16u), // AES_128_CTR => (EVP_aes_128_ctr(), 16u, 0u), //AES_128_GCM => (EVP_aes_128_gcm(), 16u, 16u), - AES_256_ECB => (EVP_aes_256_ecb(), 32u, 16u), - AES_256_CBC => (EVP_aes_256_cbc(), 32u, 16u), + Type::AES_256_ECB => (ffi::EVP_aes_256_ecb(), 32u, 16u), + Type::AES_256_CBC => (ffi::EVP_aes_256_cbc(), 32u, 16u), + #[cfg(feature = "aes_xts")] + Type::AES_256_XTS => (ffi::EVP_aes_256_xts(), 64u, 16u), // AES_256_CTR => (EVP_aes_256_ctr(), 32u, 0u), //AES_256_GCM => (EVP_aes_256_gcm(), 32u, 16u), - RC4_128 => (EVP_rc4(), 16u, 0u), + Type::RC4_128 => (ffi::EVP_rc4(), 16u, 0u), } } } /// Represents a symmetric cipher context. pub struct Crypter { - evp: EVP_CIPHER, - ctx: EVP_CIPHER_CTX, + evp: *const ffi::EVP_CIPHER, + ctx: *mut ffi::EVP_CIPHER_CTX, keylen: uint, blocksize: uint } impl Crypter { pub fn new(t: Type) -> Crypter { - let ctx = unsafe { EVP_CIPHER_CTX_new() }; + ffi::init(); + + let ctx = unsafe { ffi::EVP_CIPHER_CTX_new() }; let (evp, keylen, blocksz) = evpc(t); Crypter { evp: evp, ctx: ctx, keylen: keylen, blocksize: blocksz } } @@ -93,7 +75,7 @@ impl Crypter { if self.blocksize > 0 { unsafe { let v = if padding { 1 as c_int } else { 0 }; - EVP_CIPHER_CTX_set_padding(self.ctx, v); + ffi::EVP_CIPHER_CTX_set_padding(self.ctx, v); } } } @@ -104,12 +86,12 @@ impl Crypter { pub fn init(&self, mode: Mode, key: &[u8], iv: Vec<u8>) { unsafe { let mode = match mode { - Encrypt => 1 as c_int, - Decrypt => 0 as c_int, + Mode::Encrypt => 1 as c_int, + Mode::Decrypt => 0 as c_int, }; assert_eq!(key.len(), self.keylen); - EVP_CipherInit( + ffi::EVP_CipherInit( self.ctx, self.evp, key.as_ptr(), @@ -128,7 +110,7 @@ impl Crypter { let mut res = Vec::from_elem(data.len() + self.blocksize, 0u8); let mut reslen = (data.len() + self.blocksize) as u32; - EVP_CipherUpdate( + ffi::EVP_CipherUpdate( self.ctx, res.as_mut_ptr(), &mut reslen, @@ -144,12 +126,12 @@ impl Crypter { /** * Finish crypting. Returns the remaining partial block of output, if any. */ - pub fn final(&self) -> Vec<u8> { + pub fn finalize(&self) -> Vec<u8> { unsafe { let mut res = Vec::from_elem(self.blocksize, 0u8); let mut reslen = self.blocksize as c_int; - EVP_CipherFinal(self.ctx, + ffi::EVP_CipherFinal(self.ctx, res.as_mut_ptr(), &mut reslen); @@ -162,7 +144,7 @@ impl Crypter { impl Drop for Crypter { fn drop(&mut self) { unsafe { - EVP_CIPHER_CTX_free(self.ctx); + ffi::EVP_CIPHER_CTX_free(self.ctx); } } } @@ -173,9 +155,9 @@ impl Drop for Crypter { */ pub fn encrypt(t: Type, key: &[u8], iv: Vec<u8>, data: &[u8]) -> Vec<u8> { let c = Crypter::new(t); - c.init(Encrypt, key, iv); + c.init(Mode::Encrypt, key, iv); let mut r = c.update(data); - let rest = c.final(); + let rest = c.finalize(); r.extend(rest.into_iter()); r } @@ -186,9 +168,9 @@ pub fn encrypt(t: Type, key: &[u8], iv: Vec<u8>, data: &[u8]) -> Vec<u8> { */ pub fn decrypt(t: Type, key: &[u8], iv: Vec<u8>, data: &[u8]) -> Vec<u8> { let c = Crypter::new(t); - c.init(Decrypt, key, iv); + c.init(Mode::Decrypt, key, iv); let mut r = c.update(data); - let rest = c.final(); + let rest = c.finalize(); r.extend(rest.into_iter()); r } @@ -212,28 +194,62 @@ mod tests { let c0 = vec!(0x8eu8, 0xa2u8, 0xb7u8, 0xcau8, 0x51u8, 0x67u8, 0x45u8, 0xbfu8, 0xeau8, 0xfcu8, 0x49u8, 0x90u8, 0x4bu8, 0x49u8, 0x60u8, 0x89u8); - let c = super::Crypter::new(super::AES_256_ECB); - c.init(super::Encrypt, k0.as_slice(), vec![]); + let c = super::Crypter::new(super::Type::AES_256_ECB); + c.init(super::Mode::Encrypt, k0.as_slice(), vec![]); c.pad(false); let mut r0 = c.update(p0.as_slice()); - r0.extend(c.final().into_iter()); + r0.extend(c.finalize().into_iter()); assert!(r0 == c0); - c.init(super::Decrypt, k0.as_slice(), vec![]); + c.init(super::Mode::Decrypt, k0.as_slice(), vec![]); c.pad(false); let mut p1 = c.update(r0.as_slice()); - p1.extend(c.final().into_iter()); + p1.extend(c.finalize().into_iter()); assert!(p1 == p0); } + #[test] + fn test_aes_256_cbc_decrypt() { + let cr = super::Crypter::new(super::Type::AES_256_CBC); + let iv = vec![ + 4_u8, 223_u8, 153_u8, 219_u8, 28_u8, 142_u8, 234_u8, 68_u8, 227_u8, + 69_u8, 98_u8, 107_u8, 208_u8, 14_u8, 236_u8, 60_u8, 0_u8, 0_u8, + 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, 0_u8, + 0_u8, 0_u8, 0_u8 + ]; + let data = [ + 143_u8, 210_u8, 75_u8, 63_u8, 214_u8, 179_u8, 155_u8, + 241_u8, 242_u8, 31_u8, 154_u8, 56_u8, 198_u8, 145_u8, 192_u8, 64_u8, + 2_u8, 245_u8, 167_u8, 220_u8, 55_u8, 119_u8, 233_u8, 136_u8, 139_u8, + 27_u8, 71_u8, 242_u8, 119_u8, 175_u8, 65_u8, 207_u8 + ]; + let ciphered_data = [ + 0x4a_u8, 0x2e_u8, 0xe5_u8, 0x6_u8, 0xbf_u8, 0xcf_u8, 0xf2_u8, 0xd7_u8, + 0xea_u8, 0x2d_u8, 0xb1_u8, 0x85_u8, 0x6c_u8, 0x93_u8, 0x65_u8, 0x6f_u8 + ]; + cr.init(super::Mode::Decrypt, &data, iv); + cr.pad(false); + let unciphered_data_1 = cr.update(&ciphered_data); + let unciphered_data_2 = cr.finalize(); + + let expected_unciphered_data = b"I love turtles.\x01"; + + assert!(unciphered_data_2.len() == 0); + + assert_eq!( + unciphered_data_1.as_slice(), + expected_unciphered_data + ); + } + fn cipher_test(ciphertype: super::Type, pt: &str, ct: &str, key: &str, iv: &str) { use serialize::hex::ToHex; let cipher = super::Crypter::new(ciphertype); - cipher.init(super::Encrypt, key.from_hex().unwrap().as_slice(), iv.from_hex().unwrap()); + cipher.init(super::Mode::Encrypt, key.from_hex().unwrap().as_slice(), iv.from_hex().unwrap()); let expected = ct.from_hex().unwrap().as_slice().to_vec(); let mut computed = cipher.update(pt.from_hex().unwrap().as_slice()); - computed.extend(cipher.final().into_iter()); + computed.extend(cipher.finalize().into_iter()); if computed != expected { println!("Computed: {}", computed.as_slice().to_hex()); @@ -242,7 +258,7 @@ mod tests { println!("Lengths differ: {} in computed vs {} expected", computed.len(), expected.len()); } - fail!("test failure"); + panic!("test failure"); } } @@ -254,7 +270,20 @@ mod tests { let key = "97CD440324DA5FD1F7955C1C13B6B466"; let iv = ""; - cipher_test(super::RC4_128, pt, ct, key, iv); + cipher_test(super::Type::RC4_128, pt, ct, key, iv); + } + + #[test] + #[cfg(feature = "aes_xts")] + fn test_aes256_xts() { + // Test case 174 from + // http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip + let pt = "77f4ef63d734ebd028508da66c22cdebdd52ecd6ee2ab0a50bc8ad0cfd692ca5fcd4e6dedc45df7f6503f462611dc542"; + let ct = "ce7d905a7776ac72f240d22aafed5e4eb7566cdc7211220e970da634ce015f131a5ecb8d400bc9e84f0b81d8725dbbc7"; + let key = "b6bfef891f83b5ff073f2231267be51eb084b791fa19a154399c0684c8b2dfcb37de77d28bbda3b4180026ad640b74243b3133e7b9fae629403f6733423dae28"; + let iv = "db200efb7eaaa737dbdf40babb68953f"; + + cipher_test(super::Type::AES_256_XTS, pt, ct, key, iv); } /*#[test] @@ -1,14 +1,20 @@ -#![feature(struct_variant, macro_rules)] +#![feature(macro_rules, unsafe_destructor, globs)] #![crate_name="openssl"] #![crate_type="rlib"] #![crate_type="dylib"] -#![doc(html_root_url="http://www.rust-ci.org/sfackler/rust-openssl/doc")] +#![doc(html_root_url="https://sfackler.github.io/doc/openssl")] extern crate libc; #[cfg(test)] extern crate serialize; -extern crate sync; -pub mod ssl; -pub mod crypto; +extern crate "openssl-sys" as ffi; + +mod macros; + +pub mod asn1; pub mod bn; +pub mod bio; +pub mod crypto; +pub mod ssl; +pub mod x509; diff --git a/src/macros.rs b/src/macros.rs new file mode 100644 index 00000000..2de14620 --- /dev/null +++ b/src/macros.rs @@ -0,0 +1,59 @@ +#![macro_escape] + +macro_rules! try_ssl_stream { + ($e:expr) => ( + match $e { + Ok(ok) => ok, + Err(err) => return Err(StreamError(err)) + } + ) +} + +/// Shortcut return with SSL error if something went wrong +macro_rules! try_ssl_if { + ($e:expr) => ( + if $e { + return Err(SslError::get()) + } + ) +} + +/// Shortcut return with SSL error if last error result is 0 +/// (default) +macro_rules! try_ssl{ + ($e:expr) => (try_ssl_if!($e == 0)) +} + +/// Shortcut return with SSL if got a null result +macro_rules! try_ssl_null{ + ($e:expr) => ({ + let t = $e; + try_ssl_if!(t == ptr::null_mut()); + t + }) +} + + +/// Lifts current SSL error code into Result<(), Error> +/// if expression is true +/// Lifting is actually a shortcut of the following form: +/// +/// ```ignore +/// let _ = try!(something) +/// Ok(()) +/// ``` +macro_rules! lift_ssl_if{ + ($e:expr) => ( { + if $e { + Err(SslError::get()) + } else { + Ok(()) + } + }) +} + +/// Lifts current SSL error code into Result<(), Error> +/// if SSL returned 0 (default error indication) +macro_rules! lift_ssl { + ($e:expr) => (lift_ssl_if!($e == 0)) +} diff --git a/src/ssl/error.rs b/src/ssl/error.rs index 9af14dd9..7e8daef1 100644 --- a/src/ssl/error.rs +++ b/src/ssl/error.rs @@ -1,12 +1,17 @@ +pub use self::SslError::*; +pub use self::OpensslError::*; + use libc::c_ulong; +use std::error; use std::io::IoError; +use std::c_str::CString; -use ssl::ffi; +use ffi; /// An SSL error #[deriving(Show, Clone, PartialEq, Eq)] pub enum SslError { - /// The underlying stream has reported an error + /// The underlying stream reported an error StreamError(IoError), /// The SSL session has been closed by the other end SslSessionClosed, @@ -14,30 +19,47 @@ pub enum SslError { OpenSslErrors(Vec<OpensslError>) } +impl error::Error for SslError { + fn description(&self) -> &str { + match *self { + StreamError(_) => "The underlying stream reported an error", + SslSessionClosed => "The SSL session has been closed by the other end", + OpenSslErrors(_) => "An error in the OpenSSL library", + } + } + + fn cause(&self) -> Option<&error::Error> { + match *self { + StreamError(ref err) => Some(err as &error::Error), + _ => None + } + } +} + /// An error from the OpenSSL library #[deriving(Show, Clone, PartialEq, Eq)] pub enum OpensslError { /// An unknown error UnknownError { /// The library reporting the error - library: u8, + library: String, /// The function reporting the error - function: u16, + function: String, /// The reason for the error - reason: u16 + reason: String } } -fn get_lib(err: c_ulong) -> u8 { - ((err >> 24) & 0xff) as u8 +fn get_lib(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_lib_error_string(err), false) }.to_string() } -fn get_func(err: c_ulong) -> u16 { - ((err >> 12) & 0xfff) as u16 +fn get_func(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_func_error_string(err), false).to_string() } } -fn get_reason(err: c_ulong) -> u16 { - (err & 0xfff) as u16 +fn get_reason(err: c_ulong) -> String { + unsafe { CString::new(ffi::ERR_reason_error_string(err), false).to_string() } } impl SslError { @@ -48,13 +70,37 @@ impl SslError { loop { match unsafe { ffi::ERR_get_error() } { 0 => break, - err => errs.push(UnknownError { - library: get_lib(err), - function: get_func(err), - reason: get_reason(err) - }) + err => errs.push(SslError::from_error_code(err)) } } OpenSslErrors(errs) } + + /// Creates an `SslError` from the raw numeric error code. + pub fn from_error(err: c_ulong) -> SslError { + OpenSslErrors(vec![SslError::from_error_code(err)]) + } + + fn from_error_code(err: c_ulong) -> OpensslError { + ffi::init(); + UnknownError { + library: get_lib(err), + function: get_func(err), + reason: get_reason(err) + } + } +} + +#[test] +fn test_uknown_error_should_have_correct_messages() { + let errs = match SslError::from_error(336032784) { + OpenSslErrors(errs) => errs, + _ => panic!("This should always be an `OpenSslErrors` variant.") + }; + + let UnknownError { ref library, ref function, ref reason } = errs[0]; + + assert_eq!(library.as_slice(),"SSL routines"); + assert_eq!(function.as_slice(), "SSL23_GET_SERVER_HELLO"); + assert_eq!(reason.as_slice(), "sslv3 alert handshake failure"); } diff --git a/src/ssl/ffi.rs b/src/ssl/ffi.rs deleted file mode 100755 index a40af35e..00000000 --- a/src/ssl/ffi.rs +++ /dev/null @@ -1,192 +0,0 @@ -#![allow(non_camel_case_types)] - -use libc::{c_int, c_void, c_long, c_ulong, c_char, c_uint}; -use crypto::hash::{EVP_MD}; - -pub type SSL_CTX = c_void; -pub type SSL_METHOD = c_void; -pub type COMP_METHOD = c_void; -pub type SSL = c_void; -pub type BIO = c_void; -pub type BIO_METHOD = c_void; -pub type X509_STORE_CTX = c_void; -pub type X509 = c_void; -pub type X509_NAME = c_void; -pub type CRYPTO_EX_DATA = c_void; - -pub type CRYPTO_EX_new = extern "C" fn(parent: *mut c_void, ptr: *mut c_void, - ad: *const CRYPTO_EX_DATA, idx: c_int, - argl: c_long, argp: *const c_void) -> c_int; -pub type CRYPTO_EX_dup = extern "C" fn(to: *mut CRYPTO_EX_DATA, - from: *mut CRYPTO_EX_DATA, from_d: *mut c_void, - idx: c_int, argl: c_long, argp: *mut c_void) - -> c_int; -pub type CRYPTO_EX_free = extern "C" fn(parent: *mut c_void, ptr: *mut c_void, - ad: *mut CRYPTO_EX_DATA, idx: c_int, - argl: c_long, argp: *mut c_void); - -pub static CRYPTO_LOCK: c_int = 1; - -pub static SSL_ERROR_NONE: c_int = 0; -pub static SSL_ERROR_SSL: c_int = 1; -pub static SSL_ERROR_WANT_READ: c_int = 2; -pub static SSL_ERROR_WANT_WRITE: c_int = 3; -pub static SSL_ERROR_WANT_X509_LOOKUP: c_int = 4; -pub static SSL_ERROR_SYSCALL: c_int = 5; -pub static SSL_ERROR_ZERO_RETURN: c_int = 6; -pub static SSL_ERROR_WANT_CONNECT: c_int = 7; -pub static SSL_ERROR_WANT_ACCEPT: c_int = 8; - -pub static SSL_VERIFY_NONE: c_int = 0; -pub static SSL_VERIFY_PEER: c_int = 1; - -pub static SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55; - -pub static TLSEXT_NAMETYPE_host_name: c_long = 0; - -pub static X509_V_OK: c_int = 0; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: c_int = 2; -pub static X509_V_ERR_UNABLE_TO_GET_CRL: c_int = 3; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: c_int = 4; -pub static X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: c_int = 5; -pub static X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: c_int = 6; -pub static X509_V_ERR_CERT_SIGNATURE_FAILURE: c_int = 7; -pub static X509_V_ERR_CRL_SIGNATURE_FAILURE: c_int = 8; -pub static X509_V_ERR_CERT_NOT_YET_VALID: c_int = 9; -pub static X509_V_ERR_CERT_HAS_EXPIRED: c_int = 10; -pub static X509_V_ERR_CRL_NOT_YET_VALID: c_int = 11; -pub static X509_V_ERR_CRL_HAS_EXPIRED: c_int = 12; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: c_int = 13; -pub static X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: c_int = 14; -pub static X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: c_int = 15; -pub static X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: c_int = 16; -pub static X509_V_ERR_OUT_OF_MEM: c_int = 17; -pub static X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: c_int = 18; -pub static X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: c_int = 19; -pub static X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: c_int = 20; -pub static X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: c_int = 21; -pub static X509_V_ERR_CERT_CHAIN_TOO_LONG: c_int = 22; -pub static X509_V_ERR_CERT_REVOKED: c_int = 23; -pub static X509_V_ERR_INVALID_CA: c_int = 24; -pub static X509_V_ERR_PATH_LENGTH_EXCEEDED: c_int = 25; -pub static X509_V_ERR_INVALID_PURPOSE: c_int = 26; -pub static X509_V_ERR_CERT_UNTRUSTED: c_int = 27; -pub static X509_V_ERR_CERT_REJECTED: c_int = 28; -pub static X509_V_ERR_SUBJECT_ISSUER_MISMATCH: c_int = 29; -pub static X509_V_ERR_AKID_SKID_MISMATCH: c_int = 30; -pub static X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: c_int = 31; -pub static X509_V_ERR_KEYUSAGE_NO_CERTSIGN: c_int = 32; -pub static X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: c_int = 33; -pub static X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: c_int = 34; -pub static X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: c_int = 35; -pub static X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: c_int = 36; -pub static X509_V_ERR_INVALID_NON_CA: c_int = 37; -pub static X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: c_int = 38; -pub static X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: c_int = 39; -pub static X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: c_int = 40; -pub static X509_V_ERR_INVALID_EXTENSION: c_int = 41; -pub static X509_V_ERR_INVALID_POLICY_EXTENSION: c_int = 42; -pub static X509_V_ERR_NO_EXPLICIT_POLICY: c_int = 43; -pub static X509_V_ERR_DIFFERENT_CRL_SCOPE: c_int = 44; -pub static X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: c_int = 45; -pub static X509_V_ERR_UNNESTED_RESOURCE: c_int = 46; -pub static X509_V_ERR_PERMITTED_VIOLATION: c_int = 47; -pub static X509_V_ERR_EXCLUDED_VIOLATION: c_int = 48; -pub static X509_V_ERR_SUBTREE_MINMAX: c_int = 49; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: c_int = 51; -pub static X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: c_int = 52; -pub static X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: c_int = 53; -pub static X509_V_ERR_CRL_PATH_VALIDATION_ERROR: c_int = 54; -pub static X509_V_ERR_APPLICATION_VERIFICATION: c_int = 50; - -pub static X509_FILETYPE_PEM: c_int = 1; -pub static X509_FILETYPE_ASN1: c_int = 2; -pub static X509_FILETYPE_DEFAULT: c_int = 3; - -#[cfg(target_os = "macos", feature = "tlsv1_1")] -#[cfg(target_os = "macos", feature = "tlsv1_2")] -#[link(name="ssl.1.0.0")] -#[link(name="crypto.1.0.0")] -extern {} - -#[cfg(not(target_os = "macos"))] -#[cfg(target_os = "macos", not(feature = "tlsv1_1"), not(feature = "tlsv1_2"))] -#[link(name="ssl")] -#[link(name="crypto")] -extern {} - -extern "C" { - pub fn CRYPTO_num_locks() -> c_int; - pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int, - n: c_int, - file: *const c_char, - line: c_int)); - - pub fn ERR_get_error() -> c_ulong; - - pub fn SSL_library_init() -> c_int; - - #[cfg(feature = "sslv2")] - pub fn SSLv2_method() -> *const SSL_METHOD; - pub fn SSLv3_method() -> *const SSL_METHOD; - pub fn TLSv1_method() -> *const SSL_METHOD; - #[cfg(feature = "tlsv1_1")] - pub fn TLSv1_1_method() -> *const SSL_METHOD; - #[cfg(feature = "tlsv1_2")] - pub fn TLSv1_2_method() -> *const SSL_METHOD; - pub fn SSLv23_method() -> *const SSL_METHOD; - - pub fn SSL_CTX_new(method: *const SSL_METHOD) -> *mut SSL_CTX; - pub fn SSL_CTX_free(ctx: *mut SSL_CTX); - pub fn SSL_CTX_set_verify(ctx: *mut SSL_CTX, mode: c_int, - verify_callback: Option<extern fn(c_int, *mut X509_STORE_CTX) -> c_int>); - pub fn SSL_CTX_load_verify_locations(ctx: *mut SSL_CTX, CAfile: *const c_char, - CApath: *const c_char) -> c_int; - pub fn SSL_CTX_get_ex_new_index(argl: c_long, argp: *const c_void, - new_func: Option<CRYPTO_EX_new>, - dup_func: Option<CRYPTO_EX_dup>, - free_func: Option<CRYPTO_EX_free>) - -> c_int; - pub fn SSL_CTX_set_ex_data(ctx: *mut SSL_CTX, idx: c_int, data: *mut c_void) - -> c_int; - pub fn SSL_CTX_get_ex_data(ctx: *mut SSL_CTX, idx: c_int) -> *mut c_void; - - pub fn SSL_CTX_use_certificate_file(ctx: *mut SSL_CTX, cert_file: *const c_char, file_type: c_int) -> c_int; - pub fn SSL_CTX_use_PrivateKey_file(ctx: *mut SSL_CTX, key_file: *const c_char, file_type: c_int) -> c_int; - - pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) - -> *mut c_void; - pub fn X509_STORE_CTX_get_current_cert(ct: *mut X509_STORE_CTX) -> *mut X509; - pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int; - - pub fn X509_get_subject_name(x: *mut X509) -> *mut X509_NAME; - pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; - - pub fn SSL_new(ctx: *mut SSL_CTX) -> *mut SSL; - pub fn SSL_free(ssl: *mut SSL); - pub fn SSL_set_bio(ssl: *mut SSL, rbio: *mut BIO, wbio: *mut BIO); - pub fn SSL_get_rbio(ssl: *mut SSL) -> *mut BIO; - pub fn SSL_get_wbio(ssl: *mut SSL) -> *mut BIO; - pub fn SSL_connect(ssl: *mut SSL) -> c_int; - pub fn SSL_ctrl(ssl: *mut SSL, cmd: c_int, larg: c_long, - parg: *mut c_void) -> c_long; - pub fn SSL_get_error(ssl: *mut SSL, ret: c_int) -> c_int; - pub fn SSL_read(ssl: *mut SSL, buf: *mut c_void, num: c_int) -> c_int; - pub fn SSL_write(ssl: *mut SSL, buf: *const c_void, num: c_int) -> c_int; - pub fn SSL_get_ex_data_X509_STORE_CTX_idx() -> c_int; - pub fn SSL_get_SSL_CTX(ssl: *mut SSL) -> *mut SSL_CTX; - pub fn SSL_get_current_compression(ssl: *mut SSL) -> *const COMP_METHOD; - - pub fn BIO_s_mem() -> *const BIO_METHOD; - pub fn BIO_new(type_: *const BIO_METHOD) -> *mut BIO; - pub fn BIO_free_all(a: *mut BIO); - pub fn BIO_read(b: *mut BIO, buf: *mut c_void, len: c_int) -> c_int; - pub fn BIO_write(b: *mut BIO, buf: *const c_void, len: c_int) -> c_int; - - pub fn SSL_COMP_get_name(comp: *const COMP_METHOD) -> *const c_char; -} - -#[cfg(target_os = "win32")] -#[link(name="gdi32")] -#[link(name="wsock32")] -extern { } diff --git a/src/ssl/mod.rs b/src/ssl/mod.rs index fc775a32..d29d633e 100644 --- a/src/ssl/mod.rs +++ b/src/ssl/mod.rs @@ -1,47 +1,31 @@ -use libc::{c_int, c_uint, c_void, c_char}; +use libc::{c_int, c_void, c_long}; use std::io::{IoResult, IoError, EndOfFile, Stream, Reader, Writer}; use std::mem; use std::ptr; -use std::rt::mutex::NativeMutex; -use std::string; -use sync::one::{Once, ONCE_INIT}; +use std::sync::{Once, ONCE_INIT, Arc}; -use crypto::hash::{HashType, evpmd}; +use bio::{MemBio}; +use ffi; use ssl::error::{SslError, SslSessionClosed, StreamError}; +use x509::{X509StoreContext, X509FileType, X509}; pub mod error; -mod ffi; #[cfg(test)] mod tests; static mut VERIFY_IDX: c_int = -1; -static mut MUTEXES: *mut Vec<NativeMutex> = 0 as *mut Vec<NativeMutex>; - -macro_rules! try_ssl( - ($e:expr) => ( - match $e { - Ok(ok) => ok, - Err(err) => return Err(StreamError(err)) - } - ) -) fn init() { static mut INIT: Once = ONCE_INIT; unsafe { INIT.doit(|| { - ffi::SSL_library_init(); + ffi::init(); + let verify_idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, None); assert!(verify_idx >= 0); VERIFY_IDX = verify_idx; - - let num_locks = ffi::CRYPTO_num_locks(); - let mutexes = box Vec::from_fn(num_locks as uint, |_| NativeMutex::new()); - MUTEXES = mem::transmute(mutexes); - - ffi::CRYPTO_set_locking_callback(locking_function); }); } } @@ -51,17 +35,19 @@ fn init() { #[allow(non_camel_case_types)] pub enum SslMethod { #[cfg(feature = "sslv2")] - /// Only support the SSLv2 protocol + /// Only support the SSLv2 protocol, requires `feature="sslv2"` Sslv2, + /// Support the SSLv2, SSLv3 and TLSv1 protocols + Sslv23, /// Only support the SSLv3 protocol Sslv3, /// Only support the TLSv1 protocol Tlsv1, - /// Support the SSLv2, SSLv3 and TLSv1 protocols - Sslv23, #[cfg(feature = "tlsv1_1")] + /// Support TLSv1.1 protocol, requires `feature="tlsv1_1"` Tlsv1_1, #[cfg(feature = "tlsv1_2")] + /// Support TLSv1.2 protocol, requires `feature="tlsv1_2"` Tlsv1_2, } @@ -69,14 +55,14 @@ impl SslMethod { unsafe fn to_raw(&self) -> *const ffi::SSL_METHOD { match *self { #[cfg(feature = "sslv2")] - Sslv2 => ffi::SSLv2_method(), - Sslv3 => ffi::SSLv3_method(), - Tlsv1 => ffi::TLSv1_method(), - Sslv23 => ffi::SSLv23_method(), + SslMethod::Sslv2 => ffi::SSLv2_method(), + SslMethod::Sslv3 => ffi::SSLv3_method(), + SslMethod::Tlsv1 => ffi::TLSv1_method(), + SslMethod::Sslv23 => ffi::SSLv23_method(), #[cfg(feature = "tlsv1_1")] - Tlsv1_1 => ffi::TLSv1_1_method(), + SslMethod::Tlsv1_1 => ffi::TLSv1_1_method(), #[cfg(feature = "tlsv1_2")] - Tlsv1_2 => ffi::TLSv1_2_method() + SslMethod::Tlsv1_2 => ffi::TLSv1_2_method() } } } @@ -90,16 +76,27 @@ pub enum SslVerifyMode { SslVerifyNone = ffi::SSL_VERIFY_NONE } -extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char, - _line: c_int) { - unsafe { - let mutex = (*MUTEXES).get_mut(n as uint); +// Creates a static index for user data of type T +// Registers a destructor for the data which will be called +// when context is freed +fn get_verify_data_idx<T>() -> c_int { + static mut VERIFY_DATA_IDX: c_int = -1; + static mut INIT: Once = ONCE_INIT; - if mode & ffi::CRYPTO_LOCK != 0 { - mutex.lock_noguard(); - } else { - mutex.unlock_noguard(); - } + extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, + _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, + _argl: c_long, _argp: *mut c_void) { + let _: Box<T> = unsafe { mem::transmute(ptr) }; + } + + unsafe { + INIT.doit(|| { + let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, + None, Some(free_data_box::<T>)); + assert!(idx >= 0); + VERIFY_DATA_IDX = idx; + }); + VERIFY_DATA_IDX } } @@ -112,7 +109,7 @@ extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, VERIFY_IDX); let verify: Option<VerifyCallback> = mem::transmute(verify); - let ctx = X509StoreContext { ctx: x509_ctx }; + let ctx = X509StoreContext::new(x509_ctx); match verify { None => preverify_ok, @@ -121,16 +118,44 @@ extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) } } +extern fn raw_verify_with_data<T>(preverify_ok: c_int, + x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int { + unsafe { + let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); + let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + + let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, VERIFY_IDX); + let verify: Option<VerifyCallbackData<T>> = mem::transmute(verify); + + let data = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_verify_data_idx::<T>()); + let data: Box<T> = mem::transmute(data); + + let ctx = X509StoreContext::new(x509_ctx); + + let res = match verify { + None => preverify_ok, + Some(verify) => verify(preverify_ok != 0, &ctx, &*data) as c_int + }; + + // Since data might be required on the next verification + // it is time to forget about it and avoid dropping + // data will be freed once OpenSSL considers it is time + // to free all context data + mem::forget(data); + res + } +} + /// The signature of functions that can be used to manually verify certificates pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; -#[repr(i32)] -pub enum X509FileType { - PEM = ffi::X509_FILETYPE_PEM, - ASN1 = ffi::X509_FILETYPE_ASN1, - Default = ffi::X509_FILETYPE_DEFAULT -} +/// The signature of functions that can be used to manually verify certificates +/// when user-data should be carried for all verification process +pub type VerifyCallbackData<T> = fn(preverify_ok: bool, + x509_ctx: &X509StoreContext, + data: &T) -> bool; // FIXME: macro may be instead of inlining? #[inline] @@ -176,9 +201,33 @@ impl SslContext { } } + /// Configures the certificate verification method for new connections also + /// carrying supplied data. + // Note: no option because there is no point to set data without providing + // a function handling it + pub fn set_verify_with_data<T>(&mut self, mode: SslVerifyMode, + verify: VerifyCallbackData<T>, + data: T) { + let data = box data; + unsafe { + ffi::SSL_CTX_set_ex_data(self.ctx, VERIFY_IDX, + mem::transmute(Some(verify))); + ffi::SSL_CTX_set_ex_data(self.ctx, get_verify_data_idx::<T>(), + mem::transmute(data)); + ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(raw_verify_with_data::<T>)); + } + } + + /// Sets verification depth + pub fn set_verify_depth(&mut self, depth: uint) { + unsafe { + ffi::SSL_CTX_set_verify_depth(self.ctx, depth as c_int); + } + } + #[allow(non_snake_case)] /// Specifies the file that contains trusted CA certificates. - pub fn set_CA_file(&mut self, file: &str) -> Option<SslError> { + pub fn set_CA_file(&mut self, file: &Path) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { ffi::SSL_CTX_load_verify_locations(self.ctx, file, ptr::null()) @@ -186,8 +235,8 @@ impl SslContext { })) } - /// Specifies the file that is client certificate - pub fn set_certificate_file(&mut self, file: &str, + /// Specifies the file that contains certificate + pub fn set_certificate_file(&mut self, file: &Path, file_type: X509FileType) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { @@ -196,8 +245,8 @@ impl SslContext { })) } - /// Specifies the file that is client private key - pub fn set_private_key_file(&mut self, file: &str, + /// Specifies the file that contains private key + pub fn set_private_key_file(&mut self, file: &Path, file_type: X509FileType) -> Option<SslError> { wrap_ssl_result(file.with_c_str(|file| { unsafe { @@ -205,148 +254,32 @@ impl SslContext { } })) } -} - -pub struct X509StoreContext { - ctx: *mut ffi::X509_STORE_CTX -} -impl X509StoreContext { - pub fn get_error(&self) -> Option<X509ValidationError> { - let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; - X509ValidationError::from_raw(err) - } - - pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> { - let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; - - if ptr.is_null() { - None - } else { - Some(X509 { ctx: self, x509: ptr }) - } + pub fn set_cipher_list(&mut self, cipher_list: &str) -> Option<SslError> { + wrap_ssl_result(cipher_list.with_c_str(|cipher_list| { + unsafe { + ffi::SSL_CTX_set_cipher_list(self.ctx, cipher_list) + } + })) } } #[allow(dead_code)] -/// A public key certificate -pub struct X509<'ctx> { - ctx: &'ctx X509StoreContext, - x509: *mut ffi::X509 +struct MemBioRef<'ssl> { + ssl: &'ssl Ssl, + bio: MemBio, } -impl<'ctx> X509<'ctx> { - pub fn subject_name<'a>(&'a self) -> X509Name<'a> { - let name = unsafe { ffi::X509_get_subject_name(self.x509) }; - X509Name { x509: self, name: name } +impl<'ssl> MemBioRef<'ssl> { + fn read(&mut self, buf: &mut [u8]) -> Option<uint> { + (&mut self.bio as &mut Reader).read(buf).ok() } - /// Returns certificate fingerprint calculated using provided hash - pub fn fingerprint(&self, hash_type: HashType) -> Option<Vec<u8>> { - let (evp, len) = evpmd(hash_type); - let v: Vec<u8> = Vec::from_elem(len, 0); - let act_len: c_uint = 0; - let res = unsafe { - ffi::X509_digest(self.x509, evp, mem::transmute(v.as_ptr()), - mem::transmute(&act_len)) - }; - - match res { - 0 => None, - _ => { - let act_len = act_len as uint; - match len.cmp(&act_len) { - Greater => None, - Equal => Some(v), - Less => fail!("Fingerprint buffer was corrupted!") - } - } - } + fn write(&mut self, buf: &[u8]) { + let _ = (&mut self.bio as &mut Writer).write(buf); } } -#[allow(dead_code)] -pub struct X509Name<'x> { - x509: &'x X509<'x>, - name: *mut ffi::X509_NAME -} - -macro_rules! make_validation_error( - ($ok_val:ident, $($name:ident = $val:ident,)+) => ( - pub enum X509ValidationError { - $($name,)+ - X509UnknownError(c_int) - } - - impl X509ValidationError { - #[doc(hidden)] - pub fn from_raw(err: c_int) -> Option<X509ValidationError> { - match err { - self::ffi::$ok_val => None, - $(self::ffi::$val => Some($name),)+ - err => Some(X509UnknownError(err)) - } - } - } - ) -) - -make_validation_error!(X509_V_OK, - X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, - X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, - X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, - X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, - X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, - X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, - X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, - X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, - X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, - X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, - X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, - X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, - X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, - X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, - X509OutOfMem = X509_V_ERR_OUT_OF_MEM, - X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, - X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, - X509CertRevoked = X509_V_ERR_CERT_REVOKED, - X509InvalidCA = X509_V_ERR_INVALID_CA, - X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, - X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, - X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, - X509CertRejected = X509_V_ERR_CERT_REJECTED, - X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, - X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, - X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, - X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, - X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, - X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, - X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, - X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, - X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, - X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, - X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, - X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, - X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, - X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, - X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, - X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, - X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, - X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, - X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, - X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, - X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, - X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, - X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, - X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, - X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, - X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, -) - pub struct Ssl { ssl: *mut ffi::SSL } @@ -365,18 +298,10 @@ impl Ssl { } let ssl = Ssl { ssl: ssl }; - let rbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if rbio == ptr::null_mut() { - return Err(SslError::get()); - } - - let wbio = unsafe { ffi::BIO_new(ffi::BIO_s_mem()) }; - if wbio == ptr::null_mut() { - unsafe { ffi::BIO_free_all(rbio) } - return Err(SslError::get()); - } + let rbio = try!(MemBio::new()); + let wbio = try!(MemBio::new()); - unsafe { ffi::SSL_set_bio(ssl.ssl, rbio, wbio) } + unsafe { ffi::SSL_set_bio(ssl.ssl, rbio.unwrap(), wbio.unwrap()) } Ok(ssl) } @@ -389,13 +314,10 @@ impl Ssl { } fn wrap_bio<'a>(&'a self, bio: *mut ffi::BIO) -> MemBioRef<'a> { - assert!(bio != ptr::mut_null()); + assert!(bio != ptr::null_mut()); MemBioRef { ssl: self, - bio: MemBio { - bio: bio, - owned: false - } + bio: MemBio::borrowed(bio) } } @@ -403,6 +325,10 @@ impl Ssl { unsafe { ffi::SSL_connect(self.ssl) } } + fn accept(&self) -> c_int { + unsafe { ffi::SSL_accept(self.ssl) } + } + fn read(&self, buf: &mut [u8]) -> c_int { unsafe { ffi::SSL_read(self.ssl, buf.as_ptr() as *mut c_void, buf.len() as c_int) } @@ -443,6 +369,17 @@ impl Ssl { } } + pub fn get_peer_certificate(&self) -> Option<X509> { + unsafe { + let ptr = ffi::SSL_get_peer_certificate(self.ssl); + if ptr.is_null() { + None + } else { + Some(X509::new(ptr, true)) + } + } + } + } #[deriving(FromPrimitive)] @@ -459,110 +396,90 @@ enum LibSslError { ErrorWantAccept = ffi::SSL_ERROR_WANT_ACCEPT, } -#[allow(dead_code)] -struct MemBioRef<'ssl> { - ssl: &'ssl Ssl, - bio: MemBio, -} - -impl<'ssl> MemBioRef<'ssl> { - fn read(&self, buf: &mut [u8]) -> Option<uint> { - self.bio.read(buf) - } - - fn write(&self, buf: &[u8]) { - self.bio.write(buf) - } -} - -struct MemBio { - bio: *mut ffi::BIO, - owned: bool -} - -impl Drop for MemBio { - fn drop(&mut self) { - if self.owned { - unsafe { - ffi::BIO_free_all(self.bio); - } - } - } -} - -impl MemBio { - fn read(&self, buf: &mut [u8]) -> Option<uint> { - let ret = unsafe { - ffi::BIO_read(self.bio, buf.as_ptr() as *mut c_void, - buf.len() as c_int) - }; - - if ret < 0 { - None - } else { - Some(ret as uint) - } - } - - fn write(&self, buf: &[u8]) { - let ret = unsafe { - ffi::BIO_write(self.bio, buf.as_ptr() as *const c_void, - buf.len() as c_int) - }; - assert_eq!(buf.len(), ret as uint); - } -} - /// A stream wrapper which handles SSL encryption for an underlying stream. +#[deriving(Clone)] pub struct SslStream<S> { stream: S, - ssl: Ssl, + ssl: Arc<Ssl>, buf: Vec<u8> } impl<S: Stream> SslStream<S> { - /// Attempts to create a new SSL stream from a given `Ssl` instance. - pub fn new_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { - let mut ssl = SslStream { + fn new_base(ssl:Ssl, stream: S) -> SslStream<S> { + SslStream { stream: stream, - ssl: ssl, + ssl: Arc::new(ssl), // Maximum TLS record size is 16k buf: Vec::from_elem(16 * 1024, 0u8) - }; - - match ssl.in_retry_wrapper(|ssl| { ssl.connect() }) { - Ok(_) => Ok(ssl), - Err(err) => Err(err) } } + pub fn new_server_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { + let mut ssl = SslStream::new_base(ssl, stream); + ssl.in_retry_wrapper(|ssl| { ssl.accept() }).and(Ok(ssl)) + } + + /// Attempts to create a new SSL stream from a given `Ssl` instance. + pub fn new_from(ssl: Ssl, stream: S) -> Result<SslStream<S>, SslError> { + let mut ssl = SslStream::new_base(ssl, stream); + ssl.in_retry_wrapper(|ssl| { ssl.connect() }).and(Ok(ssl)) + } + /// Creates a new SSL stream pub fn new(ctx: &SslContext, stream: S) -> Result<SslStream<S>, SslError> { - let ssl = match Ssl::new(ctx) { - Ok(ssl) => ssl, - Err(err) => return Err(err) - }; - + let ssl = try!(Ssl::new(ctx)); SslStream::new_from(ssl, stream) } + /// Creates a new SSL server stream + pub fn new_server(ctx: &SslContext, stream: S) -> Result<SslStream<S>, SslError> { + let ssl = try!(Ssl::new(ctx)); + SslStream::new_server_from(ssl, stream) + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// `read`ing or `write`ing directly to the underlying stream will most + /// likely desynchronize the SSL session. + #[deprecated="use get_mut instead"] + pub fn get_inner(&mut self) -> &mut S { + self.get_mut() + } + + /// Returns a reference to the underlying stream. + pub fn get_ref(&self) -> &S { + &self.stream + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// It is inadvisable to read from or write to the underlying stream as it + /// will most likely desynchronize the SSL session. + pub fn get_mut(&mut self) -> &mut S { + &mut self.stream + } + fn in_retry_wrapper(&mut self, blk: |&Ssl| -> c_int) -> Result<c_int, SslError> { loop { - let ret = blk(&self.ssl); + let ret = blk(&*self.ssl); if ret > 0 { return Ok(ret); } match self.ssl.get_error(ret) { - ErrorWantRead => { - try_ssl!(self.flush()); - let len = try_ssl!(self.stream.read(self.buf.as_mut_slice())); + LibSslError::ErrorWantRead => { + try_ssl_stream!(self.flush()); + let len = try_ssl_stream!(self.stream.read(self.buf.as_mut_slice())); self.ssl.get_rbio().write(self.buf.slice_to(len)); } - ErrorWantWrite => { try_ssl!(self.flush()) } - ErrorZeroReturn => return Err(SslSessionClosed), - ErrorSsl => return Err(SslError::get()), + LibSslError::ErrorWantWrite => { try_ssl_stream!(self.flush()) } + LibSslError::ErrorZeroReturn => return Err(SslSessionClosed), + LibSslError::ErrorSsl => return Err(SslError::get()), _ => unreachable!() } } @@ -588,7 +505,7 @@ impl<S: Stream> SslStream<S> { } let meth = unsafe { ffi::SSL_COMP_get_name(ptr) }; - let s = unsafe { string::raw::from_buf(meth as *const u8) }; + let s = unsafe { String::from_raw_buf(meth as *const u8) }; Some(s) } @@ -615,7 +532,7 @@ impl<S: Stream> Writer for SslStream<S> { let mut start = 0; while start < buf.len() { let ret = self.in_retry_wrapper(|ssl| { - ssl.write(buf.slice_from(start)) + ssl.write(buf.split_at(start).val1()) }); match ret { Ok(len) => start += len as uint, @@ -631,3 +548,58 @@ impl<S: Stream> Writer for SslStream<S> { self.stream.flush() } } + +/// A utility type to help in cases where the use of SSL is decided at runtime. +pub enum MaybeSslStream<S> where S: Stream { + /// A connection using SSL + Ssl(SslStream<S>), + /// A connection not using SSL + Normal(S), +} + +impl<S> Reader for MaybeSslStream<S> where S: Stream { + fn read(&mut self, buf: &mut [u8]) -> IoResult<uint> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.read(buf), + MaybeSslStream::Normal(ref mut s) => s.read(buf), + } + } +} + +impl<S> Writer for MaybeSslStream<S> where S: Stream{ + fn write(&mut self, buf: &[u8]) -> IoResult<()> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.write(buf), + MaybeSslStream::Normal(ref mut s) => s.write(buf), + } + } + + fn flush(&mut self) -> IoResult<()> { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.flush(), + MaybeSslStream::Normal(ref mut s) => s.flush(), + } + } +} + +impl<S> MaybeSslStream<S> where S: Stream { + /// Returns a reference to the underlying stream. + pub fn get_ref(&self) -> &S { + match *self { + MaybeSslStream::Ssl(ref s) => s.get_ref(), + MaybeSslStream::Normal(ref s) => s, + } + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// It is inadvisable to read from or write to the underlying stream. + pub fn get_mut(&mut self) -> &mut S { + match *self { + MaybeSslStream::Ssl(ref mut s) => s.get_mut(), + MaybeSslStream::Normal(ref mut s) => s, + } + } +} diff --git a/src/ssl/tests.rs b/src/ssl/tests.rs index 99241719..e4414f84 100644 --- a/src/ssl/tests.rs +++ b/src/ssl/tests.rs @@ -1,8 +1,12 @@ -use std::io::Writer; +use serialize::hex::FromHex; +use std::io::{Writer}; use std::io::net::tcp::TcpStream; -use std::str; -use ssl::{Sslv23, SslContext, SslStream, SslVerifyPeer, X509StoreContext}; +use crypto::hash::HashType::{SHA256}; +use ssl::SslMethod::Sslv23; +use ssl::{SslContext, SslStream}; +use ssl::SslVerifyMode::SslVerifyPeer; +use x509::{X509StoreContext}; #[test] fn test_new_ctx() { @@ -11,33 +15,33 @@ fn test_new_ctx() { #[test] fn test_new_sslstream() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); } #[test] fn test_verify_untrusted() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, None); match SslStream::new(&ctx, stream) { - Ok(_) => fail!("expected failure"), + Ok(_) => panic!("expected failure"), Err(err) => println!("error {}", err) } } #[test] fn test_verify_trusted() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, None); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -46,12 +50,12 @@ fn test_verify_untrusted_callback_override_ok() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -60,7 +64,7 @@ fn test_verify_untrusted_callback_override_bad() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_err()); @@ -71,16 +75,16 @@ fn test_verify_trusted_callback_override_ok() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } match SslStream::new(&ctx, stream) { Ok(_) => (), - Err(err) => fail!("Expected success, got {}", err) + Err(err) => panic!("Expected success, got {}", err) } } @@ -89,12 +93,12 @@ fn test_verify_trusted_callback_override_bad() { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } assert!(SslStream::new(&ctx, stream).is_err()); } @@ -105,7 +109,7 @@ fn test_verify_callback_load_certs() { assert!(x509_ctx.get_current_cert().is_some()); true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_ok()); @@ -117,12 +121,12 @@ fn test_verify_trusted_get_error_ok() { assert!(x509_ctx.get_error().is_none()); true } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); - match ctx.set_CA_file("test/cert.pem") { + match ctx.set_CA_file(&Path::new("test/cert.pem")) { None => {} - Some(err) => fail!("Unexpected error {}", err) + Some(err) => panic!("Unexpected error {}", err) } assert!(SslStream::new(&ctx, stream).is_ok()); } @@ -133,15 +137,46 @@ fn test_verify_trusted_get_error_err() { assert!(x509_ctx.get_error().is_some()); false } - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SslVerifyPeer, Some(callback)); assert!(SslStream::new(&ctx, stream).is_err()); } #[test] +fn test_verify_callback_data() { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec<u8>) -> bool { + let cert = x509_ctx.get_current_cert(); + match cert { + None => false, + Some(cert) => { + let fingerprint = cert.fingerprint(SHA256).unwrap(); + fingerprint.as_slice() == node_id.as_slice() + } + } + } + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut ctx = SslContext::new(Sslv23).unwrap(); + + // Node id was generated as SHA256 hash of certificate "test/cert.pem" + // in DER format. + // Command: openssl x509 -in test/cert.pem -outform DER | openssl dgst -sha256 + // Please update if "test/cert.pem" will ever change + let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c"; + let node_id = node_hash_str.from_hex().unwrap(); + ctx.set_verify_with_data(SslVerifyPeer, callback, node_id); + ctx.set_verify_depth(1); + + match SslStream::new(&ctx, stream) { + Ok(_) => (), + Err(err) => panic!("Expected success, got {}", err) + } +} + + +#[test] fn test_write() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write("hello".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -151,10 +186,21 @@ fn test_write() { #[test] fn test_read() { - let stream = TcpStream::connect("127.0.0.1", 15418).unwrap(); + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); - let buf = stream.read_to_end().ok().expect("read error"); - print!("{}", str::from_utf8(buf.as_slice())); + stream.read_to_end().ok().expect("read error"); +} + +#[test] +fn test_clone() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + let mut stream2 = stream.clone(); + spawn(proc() { + stream2.write("GET /\r\n\r\n".as_bytes()).unwrap(); + stream2.flush().unwrap(); + }); + stream.read_to_end().ok().expect("read error"); } diff --git a/src/x509/mod.rs b/src/x509/mod.rs new file mode 100644 index 00000000..86152ac4 --- /dev/null +++ b/src/x509/mod.rs @@ -0,0 +1,514 @@ +use libc::{c_int, c_long, c_uint}; +use std::mem; +use std::num::SignedInt; +use std::ptr; + +use asn1::{Asn1Time}; +use bio::{MemBio}; +use crypto::hash::{HashType, evpmd}; +use crypto::pkey::{PKey}; +use crypto::rand::rand_bytes; +use ffi; +use ssl::error::{SslError, StreamError}; + + +#[cfg(test)] +mod tests; + +#[repr(i32)] +pub enum X509FileType { + PEM = ffi::X509_FILETYPE_PEM, + ASN1 = ffi::X509_FILETYPE_ASN1, + Default = ffi::X509_FILETYPE_DEFAULT +} + +pub struct X509StoreContext { + ctx: *mut ffi::X509_STORE_CTX +} + +impl X509StoreContext { + pub fn new(ctx: *mut ffi::X509_STORE_CTX) -> X509StoreContext { + X509StoreContext { + ctx: ctx + } + } + + pub fn get_error(&self) -> Option<X509ValidationError> { + let err = unsafe { ffi::X509_STORE_CTX_get_error(self.ctx) }; + X509ValidationError::from_raw(err) + } + + pub fn get_current_cert<'a>(&'a self) -> Option<X509<'a>> { + let ptr = unsafe { ffi::X509_STORE_CTX_get_current_cert(self.ctx) }; + + if ptr.is_null() { + None + } else { + Some(X509 { ctx: Some(self), handle: ptr, owned: false }) + } + } +} + +#[doc(hidden)] +trait AsStr<'a> { + fn as_str(&self) -> &'a str; +} + +#[deriving(Clone)] +pub enum KeyUsage { + DigitalSignature, + NonRepudiation, + KeyEncipherment, + DataEncipherment, + KeyAgreement, + KeyCertSign, + CRLSign, + EncipherOnly, + DecipherOnly +} + +impl AsStr<'static> for KeyUsage { + fn as_str(&self) -> &'static str { + match self { + &KeyUsage::DigitalSignature => "digitalSignature", + &KeyUsage::NonRepudiation => "nonRepudiation", + &KeyUsage::KeyEncipherment => "keyEncipherment", + &KeyUsage::DataEncipherment => "dataEncipherment", + &KeyUsage::KeyAgreement => "keyAgreement", + &KeyUsage::KeyCertSign => "keyCertSign", + &KeyUsage::CRLSign => "cRLSign", + &KeyUsage::EncipherOnly => "encipherOnly", + &KeyUsage::DecipherOnly => "decipherOnly" + } + } +} + + +#[deriving(Clone)] +pub enum ExtKeyUsage { + ServerAuth, + ClientAuth, + CodeSigning, + EmailProtection, + TimeStamping, + MsCodeInd, + MsCodeCom, + MsCtlSign, + MsSgc, + MsEfs, + NsSgc +} + +impl AsStr<'static> for ExtKeyUsage { + fn as_str(&self) -> &'static str { + match self { + &ExtKeyUsage::ServerAuth => "serverAuth", + &ExtKeyUsage::ClientAuth => "clientAuth", + &ExtKeyUsage::CodeSigning => "codeSigning", + &ExtKeyUsage::EmailProtection => "emailProtection", + &ExtKeyUsage::TimeStamping => "timeStamping", + &ExtKeyUsage::MsCodeInd => "msCodeInd", + &ExtKeyUsage::MsCodeCom => "msCodeCom", + &ExtKeyUsage::MsCtlSign => "msCTLSign", + &ExtKeyUsage::MsSgc => "msSGC", + &ExtKeyUsage::MsEfs => "msEFS", + &ExtKeyUsage::NsSgc =>"nsSGC" + } + } +} + + +// FIXME: a dirty hack as there is no way to +// implement ToString for Vec as both are defined +// in another crate +#[doc(hidden)] +trait ToStr { + fn to_str(&self) -> String; +} + +impl<'a, T: AsStr<'a>> ToStr for Vec<T> { + fn to_str(&self) -> String { + self.iter().enumerate().fold(String::new(), |mut acc, (idx, v)| { + if idx > 0 { acc.push(',') }; + acc.push_str(v.as_str()); + acc + }) + } +} + +#[allow(non_snake_case)] +/// Generator of private key/certificate pairs +/// +/// # Example +/// +/// ``` +/// use std::io::{File, Open, Write}; +/// # use std::io::fs; +/// +/// use openssl::crypto::hash::SHA256; +/// use openssl::x509::{DigitalSignature, X509Generator}; +/// +/// let gen = X509Generator::new() +/// .set_bitlength(2048) +/// .set_valid_period(365*2) +/// .set_CN("SuperMegaCorp Inc.") +/// .set_sign_hash(SHA256) +/// .set_usage(&[DigitalSignature]); +/// +/// let (cert, pkey) = gen.generate().unwrap(); +/// +/// let cert_path = Path::new("doc_cert.pem"); +/// let mut file = File::open_mode(&cert_path, Open, Write).unwrap(); +/// assert!(cert.write_pem(&mut file).is_ok()); +/// # let _ = fs::unlink(&cert_path); +/// +/// let pkey_path = Path::new("doc_key.pem"); +/// let mut file = File::open_mode(&pkey_path, Open, Write).unwrap(); +/// assert!(pkey.write_pem(&mut file).is_ok()); +/// # let _ = fs::unlink(&pkey_path); +/// ``` +pub struct X509Generator { + bits: uint, + days: uint, + CN: String, + key_usage: Vec<KeyUsage>, + ext_key_usage: Vec<ExtKeyUsage>, + hash_type: HashType, +} + +impl X509Generator { + /// Creates a new generator with the following defaults: + /// + /// bit length: 1024 + /// + /// validity period: 365 days + /// + /// CN: "rust-openssl" + /// + /// hash: SHA1 + pub fn new() -> X509Generator { + X509Generator { + bits: 1024, + days: 365, + CN: "rust-openssl".to_string(), + key_usage: Vec::new(), + ext_key_usage: Vec::new(), + hash_type: HashType::SHA1 + } + } + + /// Sets desired bit length + pub fn set_bitlength(mut self, bits: uint) -> X509Generator { + self.bits = bits; + self + } + + /// Sets certificate validity period in days since today + pub fn set_valid_period(mut self, days: uint) -> X509Generator { + self.days = days; + self + } + + #[allow(non_snake_case)] + /// Sets Common Name of certificate + pub fn set_CN(mut self, CN: &str) -> X509Generator { + self.CN = CN.to_string(); + self + } + + /// Sets what for certificate could be used + pub fn set_usage(mut self, purposes: &[KeyUsage]) -> X509Generator { + self.key_usage = purposes.to_vec(); + self + } + + /// Sets allowed extended usage of certificate + pub fn set_ext_usage(mut self, purposes: &[ExtKeyUsage]) -> X509Generator { + self.ext_key_usage = purposes.to_vec(); + self + } + + pub fn set_sign_hash(mut self, hash_type: HashType) -> X509Generator { + self.hash_type = hash_type; + self + } + + fn add_extension(x509: *mut ffi::X509, extension: c_int, value: &str) -> Result<(), SslError> { + unsafe { + let mut ctx: ffi::X509V3_CTX = mem::zeroed(); + ffi::X509V3_set_ctx(&mut ctx, x509, x509, + ptr::null_mut(), ptr::null_mut(), 0); + let ext = value.with_c_str(|value| + ffi::X509V3_EXT_conf_nid(ptr::null_mut(), + mem::transmute(&ctx), + extension, + mem::transmute(value))); + + let mut success = false; + if ext != ptr::null_mut() { + success = ffi::X509_add_ext(x509, ext, -1) != 0; + ffi::X509_EXTENSION_free(ext); + } + lift_ssl_if!(!success) + } + } + + fn add_name(name: *mut ffi::X509_NAME, key: &str, value: &str) -> Result<(), SslError> { + let value_len = value.len() as c_int; + lift_ssl!(key.with_c_str(|key| { + value.with_c_str(|value| unsafe { + ffi::X509_NAME_add_entry_by_txt(name, key, ffi::MBSTRING_UTF8, + value, value_len, -1, 0) + }) + })) + } + + fn random_serial() -> c_long { + let len = mem::size_of::<c_long>(); + let bytes = rand_bytes(len); + let mut res = 0; + for b in bytes.iter() { + res = res << 8; + res |= (*b as c_long) & 0xff; + } + + // While OpenSSL is actually OK to have negative serials + // other libraries (for example, Go crypto) can drop + // such certificates as invalid + res.abs() + } + + /// Generates a private key and a signed certificate and returns them + pub fn generate<'a>(&self) -> Result<(X509<'a>, PKey), SslError> { + ffi::init(); + + let mut p_key = PKey::new(); + p_key.gen(self.bits); + + unsafe { + let x509 = ffi::X509_new(); + try_ssl_null!(x509); + + let x509 = X509 { handle: x509, ctx: None, owned: true}; + + try_ssl!(ffi::X509_set_version(x509.handle, 2)); + try_ssl!(ffi::ASN1_INTEGER_set(ffi::X509_get_serialNumber(x509.handle), X509Generator::random_serial())); + + let not_before = try!(Asn1Time::days_from_now(0)); + let not_after = try!(Asn1Time::days_from_now(self.days)); + + try_ssl!(ffi::X509_set_notBefore(x509.handle, mem::transmute(not_before.get_handle()))); + // If prev line succeded - ownership should go to cert + mem::forget(not_before); + + try_ssl!(ffi::X509_set_notAfter(x509.handle, mem::transmute(not_after.get_handle()))); + // If prev line succeded - ownership should go to cert + mem::forget(not_after); + + try_ssl!(ffi::X509_set_pubkey(x509.handle, p_key.get_handle())); + + let name = ffi::X509_get_subject_name(x509.handle); + try_ssl_null!(name); + + try!(X509Generator::add_name(name, "CN", self.CN.as_slice())); + ffi::X509_set_issuer_name(x509.handle, name); + + if self.key_usage.len() > 0 { + try!(X509Generator::add_extension(x509.handle, ffi::NID_key_usage, + self.key_usage.to_str().as_slice())); + } + + if self.ext_key_usage.len() > 0 { + try!(X509Generator::add_extension(x509.handle, ffi::NID_ext_key_usage, + self.ext_key_usage.to_str().as_slice())); + } + + let (hash_fn, _) = evpmd(self.hash_type); + try_ssl!(ffi::X509_sign(x509.handle, p_key.get_handle(), hash_fn)); + Ok((x509, p_key)) + } + } +} + + +#[allow(dead_code)] +/// A public key certificate +pub struct X509<'ctx> { + ctx: Option<&'ctx X509StoreContext>, + handle: *mut ffi::X509, + owned: bool +} + +impl<'ctx> X509<'ctx> { + /// Creates new from handle with desired ownership. + pub fn new(handle: *mut ffi::X509, owned: bool) -> X509<'ctx> { + X509 { + ctx: None, + handle: handle, + owned: owned, + } + } + + /// Creates a new certificate from context. Doesn't take ownership + /// of handle. + pub fn new_in_ctx(handle: *mut ffi::X509, ctx: &'ctx X509StoreContext) -> X509<'ctx> { + X509 { + ctx: Some(ctx), + handle: handle, + owned: false + } + } + + /// Reads certificate from PEM, takes ownership of handle + pub fn from_pem(reader: &mut Reader) -> Result<X509<'ctx>, SslError> { + let mut mem_bio = try!(MemBio::new()); + let buf = try!(reader.read_to_end().map_err(StreamError)); + try!(mem_bio.write(buf.as_slice()).map_err(StreamError)); + + unsafe { + let handle = try_ssl_null!(ffi::PEM_read_bio_X509(mem_bio.get_handle(), + ptr::null_mut(), + None, ptr::null_mut())); + Ok(X509::new(handle, true)) + } + } + + pub fn subject_name<'a>(&'a self) -> X509Name<'a> { + let name = unsafe { ffi::X509_get_subject_name(self.handle) }; + X509Name { x509: self, name: name } + } + + /// Returns certificate fingerprint calculated using provided hash + pub fn fingerprint(&self, hash_type: HashType) -> Option<Vec<u8>> { + let (evp, len) = evpmd(hash_type); + let v: Vec<u8> = Vec::from_elem(len, 0); + let act_len: c_uint = 0; + let res = unsafe { + ffi::X509_digest(self.handle, evp, mem::transmute(v.as_ptr()), + mem::transmute(&act_len)) + }; + + match res { + 0 => None, + _ => { + let act_len = act_len as uint; + match len.cmp(&act_len) { + Greater => None, + Equal => Some(v), + Less => panic!("Fingerprint buffer was corrupted!") + } + } + } + } + + /// Writes certificate as PEM + pub fn write_pem(&self, writer: &mut Writer) -> Result<(), SslError> { + let mut mem_bio = try!(MemBio::new()); + unsafe { + try_ssl!(ffi::PEM_write_bio_X509(mem_bio.get_handle(), + self.handle)); + } + let buf = try!(mem_bio.read_to_end().map_err(StreamError)); + writer.write(buf.as_slice()).map_err(StreamError) + } +} + +#[unsafe_destructor] +impl<'ctx> Drop for X509<'ctx> { + fn drop(&mut self) { + if self.owned { + unsafe { ffi::X509_free(self.handle) }; + } + } +} + +#[allow(dead_code)] +pub struct X509Name<'x> { + x509: &'x X509<'x>, + name: *mut ffi::X509_NAME +} + +macro_rules! make_validation_error( + ($ok_val:ident, $($name:ident = $val:ident,)+) => ( + pub enum X509ValidationError { + $($name,)+ + X509UnknownError(c_int) + } + + impl X509ValidationError { + #[doc(hidden)] + pub fn from_raw(err: c_int) -> Option<X509ValidationError> { + match err { + ffi::$ok_val => None, + $(ffi::$val => Some(X509ValidationError::$name),)+ + err => Some(X509ValidationError::X509UnknownError(err)) + } + } + } + ) +) + +make_validation_error!(X509_V_OK, + X509UnableToGetIssuerCert = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, + X509UnableToGetCrl = X509_V_ERR_UNABLE_TO_GET_CRL, + X509UnableToDecryptCertSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, + X509UnableToDecryptCrlSignature = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, + X509UnableToDecodeIssuerPublicKey = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, + X509CertSignatureFailure = X509_V_ERR_CERT_SIGNATURE_FAILURE, + X509CrlSignatureFailure = X509_V_ERR_CRL_SIGNATURE_FAILURE, + X509CertNotYetValid = X509_V_ERR_CERT_NOT_YET_VALID, + X509CertHasExpired = X509_V_ERR_CERT_HAS_EXPIRED, + X509CrlNotYetValid = X509_V_ERR_CRL_NOT_YET_VALID, + X509CrlHasExpired = X509_V_ERR_CRL_HAS_EXPIRED, + X509ErrorInCertNotBeforeField = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, + X509ErrorInCertNotAfterField = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, + X509ErrorInCrlLastUpdateField = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, + X509ErrorInCrlNextUpdateField = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, + X509OutOfMem = X509_V_ERR_OUT_OF_MEM, + X509DepthZeroSelfSignedCert = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + X509SelfSignedCertInChain = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + X509UnableToGetIssuerCertLocally = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + X509UnableToVerifyLeafSignature = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, + X509CertChainTooLong = X509_V_ERR_CERT_CHAIN_TOO_LONG, + X509CertRevoked = X509_V_ERR_CERT_REVOKED, + X509InvalidCA = X509_V_ERR_INVALID_CA, + X509PathLengthExceeded = X509_V_ERR_PATH_LENGTH_EXCEEDED, + X509InvalidPurpose = X509_V_ERR_INVALID_PURPOSE, + X509CertUntrusted = X509_V_ERR_CERT_UNTRUSTED, + X509CertRejected = X509_V_ERR_CERT_REJECTED, + X509SubjectIssuerMismatch = X509_V_ERR_SUBJECT_ISSUER_MISMATCH, + X509AkidSkidMismatch = X509_V_ERR_AKID_SKID_MISMATCH, + X509AkidIssuerSerialMismatch = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, + X509KeyusageNoCertsign = X509_V_ERR_KEYUSAGE_NO_CERTSIGN, + X509UnableToGetCrlIssuer = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, + X509UnhandledCriticalExtension = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, + X509KeyusageNoCrlSign = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, + X509UnhandledCriticalCrlExtension = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, + X509InvalidNonCA = X509_V_ERR_INVALID_NON_CA, + X509ProxyPathLengthExceeded = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, + X509KeyusageNoDigitalSignature = X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, + X509ProxyCertificatesNotAllowed = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, + X509InvalidExtension = X509_V_ERR_INVALID_EXTENSION, + X509InavlidPolicyExtension = X509_V_ERR_INVALID_POLICY_EXTENSION, + X509NoExplicitPolicy = X509_V_ERR_NO_EXPLICIT_POLICY, + X509DifferentCrlScope = X509_V_ERR_DIFFERENT_CRL_SCOPE, + X509UnsupportedExtensionFeature = X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, + X509UnnestedResource = X509_V_ERR_UNNESTED_RESOURCE, + X509PermittedVolation = X509_V_ERR_PERMITTED_VIOLATION, + X509ExcludedViolation = X509_V_ERR_EXCLUDED_VIOLATION, + X509SubtreeMinmax = X509_V_ERR_SUBTREE_MINMAX, + X509UnsupportedConstraintType = X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, + X509UnsupportedConstraintSyntax = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, + X509UnsupportedNameSyntax = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, + X509CrlPathValidationError= X509_V_ERR_CRL_PATH_VALIDATION_ERROR, + X509ApplicationVerification = X509_V_ERR_APPLICATION_VERIFICATION, +) + + +#[test] +fn test_negative_serial() { + // I guess that's enough to get a random negative number + for _ in range(0u, 1000) { + assert!(X509Generator::random_serial() > 0, "All serials should be positive"); + } +} diff --git a/src/x509/tests.rs b/src/x509/tests.rs new file mode 100644 index 00000000..4e7fc925 --- /dev/null +++ b/src/x509/tests.rs @@ -0,0 +1,51 @@ +use serialize::hex::FromHex; +use std::io::{File, Open, Read}; +use std::io::util::NullWriter; + +use crypto::hash::HashType::{SHA256}; +use x509::{X509, X509Generator}; +use x509::KeyUsage::{DigitalSignature, KeyEncipherment}; +use x509::ExtKeyUsage::{ClientAuth, ServerAuth}; + +#[test] +fn test_cert_gen() { + let gen = X509Generator::new() + .set_bitlength(2048) + .set_valid_period(365*2) + .set_CN("test_me") + .set_sign_hash(SHA256) + .set_usage(&[DigitalSignature, KeyEncipherment]) + .set_ext_usage(&[ClientAuth, ServerAuth]); + + let res = gen.generate(); + assert!(res.is_ok()); + + let (cert, pkey) = res.unwrap(); + + let mut writer = NullWriter; + assert!(cert.write_pem(&mut writer).is_ok()); + assert!(pkey.write_pem(&mut writer).is_ok()); + + // FIXME: check data in result to be correct, needs implementation + // of X509 getters +} + +#[test] +fn test_cert_loading() { + let cert_path = Path::new("test/cert.pem"); + let mut file = File::open_mode(&cert_path, Open, Read) + .ok() + .expect("Failed to open `test/cert.pem`"); + + let cert = X509::from_pem(&mut file).ok().expect("Failed to load PEM"); + let fingerprint = cert.fingerprint(SHA256).unwrap(); + + // Hash was generated as SHA256 hash of certificate "test/cert.pem" + // in DER format. + // Command: openssl x509 -in test/cert.pem -outform DER | openssl dgst -sha256 + // Please update if "test/cert.pem" will ever change + let hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c"; + let hash_vec = hash_str.from_hex().unwrap(); + + assert_eq!(fingerprint.as_slice(), hash_vec.as_slice()); +} |