From 276577553501164c183ebffa2accf87380dac8c0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 13 Feb 2018 22:28:01 -0800 Subject: OpenSSL 1.1.1 support --- openssl/src/ssl/connector.rs | 13 ++++++++++ openssl/src/ssl/mod.rs | 59 ++++++++++++++++++++++---------------------- openssl/src/ssl/test.rs | 16 +++++++++++- 3 files changed, 57 insertions(+), 31 deletions(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 9e485ab9..9d1ceadc 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -206,6 +206,12 @@ impl SslAcceptor { /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS pub fn mozilla_intermediate(method: SslMethod) -> Result { let mut ctx = ctx(method)?; + #[cfg(ossl111)] + { + ctx.set_options(SslOptions { + bits: ::ffi::SSL_OP_NO_TLSv1_3, + }); + } let dh = Dh::params_from_pem(DHPARAM_PEM.as_bytes())?; ctx.set_tmp_dh(&dh)?; setup_curves(&mut ctx)?; @@ -232,6 +238,13 @@ impl SslAcceptor { /// [docs]: https://wiki.mozilla.org/Security/Server_Side_TLS pub fn mozilla_modern(method: SslMethod) -> Result { let mut ctx = ctx(method)?; + ctx.set_options(SslOptions::NO_TLSV1 | SslOptions::NO_TLSV1_1); + #[cfg(ossl111)] + { + ctx.set_options(SslOptions { + bits: ::ffi::SSL_OP_NO_TLSv1_3, + }); + } setup_curves(&mut ctx)?; ctx.set_cipher_list( "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 2474c2ab..51176583 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -177,14 +177,20 @@ bitflags! { /// Disables the use of TLSv1.2. const NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2; + /// Disables the use of TLSv1.3. + /// + /// Requires the `v111` feature and OpenSSL 1.1.1. + #[cfg(all(feature = "v111", ossl111))] + const NO_TLSV1_3 = ffi::SSL_OP_NO_TLSv1_3; + /// Disables the use of DTLSv1.0 /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; @@ -192,7 +198,7 @@ bitflags! { /// /// This can be used as a mask when whitelisting protocol versions. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// # Examples /// @@ -453,7 +459,7 @@ impl SslAlert { /// An error returned from an ALPN selection callback. /// -/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. +/// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] #[derive(Debug, Copy, Clone)] pub struct AlpnError(c_int); @@ -462,7 +468,7 @@ pub struct AlpnError(c_int); impl AlpnError { /// Terminate the handshake with a fatal alert. /// - /// Requires the `v110` feature and OpenSSL 1.1.0. + /// Requires OpenSSL 1.1.0 or 1.1.1 and the corresponding Cargo feature. #[cfg(all(feature = "v110", ossl110))] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); @@ -610,7 +616,7 @@ impl SslContextBuilder { /// Sets a custom certificate store for verifying peer certificates. /// - /// Requires the `v102` feature and OpenSSL 1.0.2, or the `v110` feature and OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. /// @@ -619,8 +625,7 @@ impl SslContextBuilder { pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { unsafe { let ptr = cert_store.as_ptr(); - cvt(ffi::SSL_CTX_set0_verify_cert_store(self.as_ptr(), ptr) - as c_int)?; + cvt(ffi::SSL_CTX_set0_verify_cert_store(self.as_ptr(), ptr) as c_int)?; mem::forget(cert_store); Ok(()) @@ -650,8 +655,8 @@ impl SslContextBuilder { /// [`SSL_CTX_set_mode`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_mode.html pub fn set_mode(&mut self, mode: SslMode) -> SslMode { unsafe { - let mode = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits()); - SslMode::from_bits(mode).unwrap() + let bits = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits()); + SslMode { bits } } } @@ -694,11 +699,7 @@ impl SslContextBuilder { /// /// This corresponds to `SSL_CTX_set_tmp_ecdh`. pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) - as c_int) - .map(|_| ()) - } + unsafe { cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ()) } } /// Sets the callback which will generate parameters to be used during ephemeral elliptic curve @@ -942,8 +943,8 @@ impl SslContextBuilder { /// /// [`SSL_CTX_set_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html pub fn set_options(&mut self, option: SslOptions) -> SslOptions { - let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) }; - SslOptions::from_bits(ret).unwrap() + let bits = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) }; + SslOptions { bits } } /// Returns the options used by the context. @@ -952,8 +953,8 @@ impl SslContextBuilder { /// /// [`SSL_CTX_get_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html pub fn options(&self) -> SslOptions { - let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) }; - SslOptions::from_bits(ret).unwrap() + let bits = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) }; + SslOptions { bits } } /// Clears the options used by the context, returning the old set. @@ -962,8 +963,8 @@ impl SslContextBuilder { /// /// [`SSL_CTX_clear_options`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { - let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) }; - SslOptions::from_bits(ret).unwrap() + let bits = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) }; + SslOptions { bits } } /// Sets the protocols to sent to the server for Application Layer Protocol Negotiation (ALPN). @@ -975,7 +976,7 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_alpn_protos`]. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// [`SSL_CTX_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] @@ -1006,7 +1007,7 @@ impl SslContextBuilder { /// /// This corresponds to [`SSL_CTX_set_alpn_select_cb`]. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos /// [`select_next_proto`]: fn.select_next_proto.html @@ -1086,9 +1087,7 @@ impl SslContextBuilder { Box::into_raw(callback) as *mut c_void, ); let f: unsafe extern "C" fn(_, _) -> _ = raw_tlsext_status::; - cvt(ffi::SSL_CTX_set_tlsext_status_cb(self.as_ptr(), Some(f)) - as c_int) - .map(|_| ()) + cvt(ffi::SSL_CTX_set_tlsext_status_cb(self.as_ptr(), Some(f)) as c_int).map(|_| ()) } } @@ -1206,7 +1205,7 @@ impl SslContext { impl SslContextRef { /// Returns the certificate associated with this `SslContext`, if present. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// This corresponds to [`SSL_CTX_get0_certificate`]. /// @@ -1225,7 +1224,7 @@ impl SslContextRef { /// Returns the private key associated with this `SslContext`, if present. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// This corresponds to [`SSL_CTX_get0_privatekey`]. /// @@ -1782,7 +1781,7 @@ impl SslRef { /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// This corresponds to [`SSL_get0_alpn_selected`]. /// @@ -1857,7 +1856,7 @@ impl SslRef { /// Returns a mutable reference to the X509 verification configuration. /// - /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or 1.1.0. + /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// This corresponds to [`SSL_get0_param`]. /// diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index dc58c4fa..938b6f32 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -895,7 +895,7 @@ fn connector_no_hostname_can_disable_verify() { #[test] fn connector_client_server_mozilla_intermediate() { - let listener = TcpListener::bind("127.0.0.1:0").unwrap(); + let listener = TcpListener::bind("127.0.0.1:1234").unwrap(); let port = listener.local_addr().unwrap().port(); let t = thread::spawn(move || { @@ -1038,6 +1038,13 @@ fn tmp_dh_callback() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + // TLS 1.3 has no DH suites, and openssl isn't happy if the max version has no suites :( + #[cfg(ossl111)] + { + ctx.set_options(super::SslOptions { + bits: ::ffi::SSL_OP_NO_TLSv1_3, + }); + } ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); @@ -1106,6 +1113,13 @@ fn tmp_dh_callback_ssl() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + // TLS 1.3 has no DH suites, and openssl isn't happy if the max version has no suites :( + #[cfg(ossl111)] + { + ctx.set_options(super::SslOptions { + bits: ::ffi::SSL_OP_NO_TLSv1_3, + }); + } ctx.set_cipher_list("EDH").unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); -- cgit v1.2.3 From e8fd63bae3556bc7cf4fcf6588407f165a475655 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 14 Feb 2018 19:36:11 -0800 Subject: Fix tests for TLS 1.3 Google yells at you when using TLS 1.3 without SNI by sending a bogus self-signed cert! --- openssl/src/ssl/test.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index 938b6f32..765d3044 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -763,8 +763,11 @@ fn default_verify_paths() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SslVerifyMode::PEER); + let ctx = ctx.build(); let s = TcpStream::connect("google.com:443").unwrap(); - let mut socket = Ssl::new(&ctx.build()).unwrap().connect(s).unwrap(); + let mut ssl = Ssl::new(&ctx).unwrap(); + ssl.set_hostname("google.com").unwrap(); + let mut socket = ssl.connect(s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; @@ -794,6 +797,7 @@ fn verify_valid_hostname() { ssl.param_mut() .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); ssl.param_mut().set_host("google.com").unwrap(); + ssl.set_hostname("google.com").unwrap(); let s = TcpStream::connect("google.com:443").unwrap(); let mut socket = ssl.connect(s).unwrap(); @@ -855,7 +859,6 @@ fn connector_invalid_no_hostname_verification() { connector .configure() .unwrap() - .use_server_name_indication(false) .verify_hostname(false) .connect("foobar.com", s) .unwrap(); -- cgit v1.2.3 From f4ddd66b0314fa6d5f8eda9d1a13167612376c81 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 14 Feb 2018 22:04:29 -0800 Subject: Tweak features We should keep the version features totally separate for now. --- openssl/src/ssl/callbacks.rs | 6 ++++-- openssl/src/ssl/mod.rs | 41 +++++++++++++++++++++++++++-------------- openssl/src/ssl/test.rs | 38 +++++++++++++++++++++++++------------- 3 files changed, 56 insertions(+), 29 deletions(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 7d884b4e..9a3d3de1 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -12,7 +12,8 @@ use dh::Dh; use ec::EcKey; use pkey::Params; use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslRef}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use ssl::AlpnError; use x509::X509StoreContextRef; @@ -107,7 +108,8 @@ where } } -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub extern "C" fn raw_alpn_select( ssl: *mut ffi::SSL, out: *mut *const c_uchar, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 51176583..8e483015 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -85,7 +85,8 @@ use ec::EcKeyRef; use ec::EcKey; use x509::{X509, X509Name, X509Ref, X509StoreContextRef, X509VerifyResult}; use x509::store::{X509StoreBuilderRef, X509StoreRef}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use x509::store::X509Store; #[cfg(any(ossl102, ossl110))] use verify::X509VerifyParamRef; @@ -186,12 +187,14 @@ bitflags! { /// Disables the use of DTLSv1.0 /// /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] const NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1; /// Disables the use of DTLSv1.2. /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] const NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2; /// Disables the use of all (D)TLS protocol versions. @@ -209,7 +212,8 @@ bitflags! { /// /// let options = SslOptions::NO_SSL_MASK & !SslOptions::NO_TLSV1_2; /// ``` - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] const NO_SSL_MASK = ffi::SSL_OP_NO_SSL_MASK; } } @@ -460,16 +464,18 @@ impl SslAlert { /// An error returned from an ALPN selection callback. /// /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] #[derive(Debug, Copy, Clone)] pub struct AlpnError(c_int); -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] impl AlpnError { /// Terminate the handshake with a fatal alert. /// /// Requires OpenSSL 1.1.0 or 1.1.1 and the corresponding Cargo feature. - #[cfg(all(feature = "v110", ossl110))] + #[cfg(any(all(feature = "v110", ossl110), all(feature = "v111", ossl111)))] pub const ALERT_FATAL: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_ALERT_FATAL); /// Do not select a protocol, but continue the handshake. @@ -621,7 +627,8 @@ impl SslContextBuilder { /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. /// /// [`SSL_CTX_set0_verify_cert_store`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set0_verify_cert_store.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { unsafe { let ptr = cert_store.as_ptr(); @@ -979,7 +986,8 @@ impl SslContextBuilder { /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature. /// /// [`SSL_CTX_set_alpn_protos`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn set_alpn_protos(&mut self, protocols: &[u8]) -> Result<(), ErrorStack> { unsafe { assert!(protocols.len() <= c_uint::max_value() as usize); @@ -1012,7 +1020,8 @@ impl SslContextBuilder { /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos /// [`select_next_proto`]: fn.select_next_proto.html /// [`SSL_CTX_set_alpn_select_cb`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_alpn_protos.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn set_alpn_select_callback(&mut self, callback: F) where F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError> + 'static + Sync + Send, @@ -1210,7 +1219,8 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_certificate`]. /// /// [`SSL_CTX_get0_certificate`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn certificate(&self) -> Option<&X509Ref> { unsafe { let ptr = ffi::SSL_CTX_get0_certificate(self.as_ptr()); @@ -1229,7 +1239,8 @@ impl SslContextRef { /// This corresponds to [`SSL_CTX_get0_privatekey`]. /// /// [`SSL_CTX_get0_privatekey`]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn private_key(&self) -> Option<&PKeyRef> { unsafe { let ptr = ffi::SSL_CTX_get0_privatekey(self.as_ptr()); @@ -1786,7 +1797,8 @@ impl SslRef { /// This corresponds to [`SSL_get0_alpn_selected`]. /// /// [`SSL_get0_alpn_selected`]: https://www.openssl.org/docs/manmaster/man3/SSL_get0_next_proto_negotiated.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); @@ -1861,7 +1873,8 @@ impl SslRef { /// This corresponds to [`SSL_get0_param`]. /// /// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { self._param_mut() } diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index 765d3044..51ae6cae 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -21,7 +21,8 @@ use ssl; use ssl::{Error, HandshakeError, ShutdownResult, Ssl, SslAcceptor, SslConnector, SslContext, SslFiletype, SslMethod, SslStream, SslVerifyMode, StatusType}; use x509::{X509, X509Name, X509StoreContext, X509VerifyResult}; -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use x509::verify::X509CheckFlags; use pkey::PKey; @@ -135,14 +136,17 @@ macro_rules! run_test( use ssl::{SslContext, Ssl, SslStream, SslVerifyMode, SslOptions}; use hash::MessageDigest; use x509::{X509StoreContext, X509VerifyResult}; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use x509::X509; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use x509::store::X509StoreBuilder; use hex::FromHex; use foreign_types::ForeignTypeRef; use super::Server; - #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] use super::ROOT_CERT; #[test] @@ -182,7 +186,8 @@ run_test!(verify_trusted, |method, stream| { } }); -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] run_test!(verify_trusted_with_set_cert, |method, stream| { let x509 = X509::from_pem(ROOT_CERT).unwrap(); let mut store = X509StoreBuilder::new().unwrap(); @@ -477,7 +482,8 @@ fn test_state() { /// Tests that connecting with the client using ALPN, but the server not does not /// break the existing connection behavior. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn test_connect_with_unilateral_alpn() { let (_s, stream) = Server::new(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -499,7 +505,8 @@ fn test_connect_with_unilateral_alpn() { /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn test_connect_with_alpn_successful_multiple_matching() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -522,7 +529,8 @@ fn test_connect_with_alpn_successful_multiple_matching() { /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn test_connect_with_alpn_successful_single_match() { let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); @@ -544,7 +552,8 @@ fn test_connect_with_alpn_successful_single_match() { /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn test_alpn_server_advertise_multiple() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -586,7 +595,7 @@ fn test_alpn_server_advertise_multiple() { } #[test] -#[cfg(all(feature = "v110", ossl110))] +#[cfg(any(all(feature = "v110", ossl110), all(feature = "v111", ossl111)))] fn test_alpn_server_select_none_fatal() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -620,7 +629,8 @@ fn test_alpn_server_select_none_fatal() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn test_alpn_server_select_none() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let localhost = listener.local_addr().unwrap(); @@ -787,7 +797,8 @@ fn add_extra_chain_cert() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn verify_valid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); @@ -812,7 +823,8 @@ fn verify_valid_hostname() { } #[test] -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110), + all(feature = "v111", ossl111)))] fn verify_invalid_hostname() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); -- cgit v1.2.3