From 62c29b54c1723d19627082df52b451986a130b79 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 15 May 2016 22:11:10 -0700 Subject: Update cert Now with a 10 year expriation --- openssl/src/ssl/tests/mod.rs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index c3e7a363..ccdc44e4 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -196,7 +196,7 @@ macro_rules! run_test( use ssl::SslMethod; use ssl::{SslContext, Ssl, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; - use crypto::hash::Type::SHA256; + use crypto::hash::Type::SHA1; use x509::X509StoreContext; use serialize::hex::FromHex; use super::Server; @@ -359,7 +359,7 @@ run_test!(verify_callback_data, |method, stream| { match cert { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(SHA256).unwrap(); + let fingerprint = cert.fingerprint(SHA1).unwrap(); &fingerprint == node_id } } @@ -370,7 +370,7 @@ run_test!(verify_callback_data, |method, stream| { // in DER format. // Command: openssl x509 -in test/cert.pem -outform DER | openssl dgst -sha256 // Please update if "test/cert.pem" will ever change - let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b"; + let node_hash_str = "E19427DAC79FBE758394945276A6E4F15F0BEBE6"; let node_id = node_hash_str.from_hex().unwrap(); ctx.set_verify_with_data(SSL_VERIFY_PEER, callback, node_id); ctx.set_verify_depth(1); @@ -390,14 +390,14 @@ run_test!(ssl_verify_callback, |method, stream| { let ctx = SslContext::new(method).unwrap(); let mut ssl = ctx.into_ssl().unwrap(); - let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b"; + let node_hash_str = "E19427DAC79FBE758394945276A6E4F15F0BEBE6"; let node_id = node_hash_str.from_hex().unwrap(); ssl.set_verify_callback(SSL_VERIFY_PEER, move |_, x509| { CHECKED.store(1, Ordering::SeqCst); match x509.get_current_cert() { None => false, Some(cert) => { - let fingerprint = cert.fingerprint(SHA256).unwrap(); + let fingerprint = cert.fingerprint(SHA1).unwrap(); fingerprint == node_id } } @@ -502,8 +502,8 @@ run_test!(get_peer_certificate, |method, stream| { let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), stream).unwrap(); let cert = stream.ssl().peer_certificate().unwrap(); - let fingerprint = cert.fingerprint(SHA256).unwrap(); - let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b"; + let fingerprint = cert.fingerprint(SHA1).unwrap(); + let node_hash_str = "E19427DAC79FBE758394945276A6E4F15F0BEBE6"; let node_id = node_hash_str.from_hex().unwrap(); assert_eq!(node_id, fingerprint) }); -- cgit v1.2.3 From 1b0757409d634f67b37d4c35af8fec878c2ecc27 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 16 May 2016 23:03:00 -0700 Subject: Rustfmt --- openssl/src/ssl/bio.rs | 31 +++++++++++++++++------------- openssl/src/ssl/mod.rs | 45 +++++++++++++++++++++++++++++--------------- openssl/src/ssl/tests/mod.rs | 26 ++++++++++++------------- 3 files changed, 60 insertions(+), 42 deletions(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/bio.rs b/openssl/src/ssl/bio.rs index e53545d7..b6f20cf2 100644 --- a/openssl/src/ssl/bio.rs +++ b/openssl/src/ssl/bio.rs @@ -23,16 +23,16 @@ pub struct BioMethod(ffi::BIO_METHOD); impl BioMethod { pub fn new() -> BioMethod { BioMethod(ffi::BIO_METHOD { - type_: BIO_TYPE_NONE, - name: b"rust\0".as_ptr() as *const _, - bwrite: Some(bwrite::), - bread: Some(bread::), - bputs: Some(bputs::), - bgets: None, - ctrl: Some(ctrl::), - create: Some(create), - destroy: Some(destroy::), - callback_ctrl: None, + type_: BIO_TYPE_NONE, + name: b"rust\0".as_ptr() as *const _, + bwrite: Some(bwrite::), + bread: Some(bread::), + bputs: Some(bputs::), + bgets: None, + ctrl: Some(ctrl::), + create: Some(create), + destroy: Some(destroy::), + callback_ctrl: None, }) } } @@ -82,12 +82,16 @@ unsafe fn state<'a, S: 'a>(bio: *mut BIO) -> &'a mut StreamState { } #[cfg(feature = "nightly")] -fn catch_unwind(f: F) -> Result> where F: FnOnce() -> T { +fn catch_unwind(f: F) -> Result> + where F: FnOnce() -> T +{ ::std::panic::catch_unwind(::std::panic::AssertUnwindSafe(f)) } #[cfg(not(feature = "nightly"))] -fn catch_unwind(f: F) -> Result> where F: FnOnce() -> T { +fn catch_unwind(f: F) -> Result> + where F: FnOnce() -> T +{ Ok(f()) } @@ -137,7 +141,8 @@ unsafe extern "C" fn bread(bio: *mut BIO, buf: *mut c_char, len: c_int) fn retriable_error(err: &io::Error) -> bool { match err.kind() { - io::ErrorKind::WouldBlock | io::ErrorKind::NotConnected => true, + io::ErrorKind::WouldBlock | + io::ErrorKind::NotConnected => true, _ => false, } } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index aa785142..f207416f 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -850,7 +850,7 @@ pub struct SslCipher<'a> { ph: PhantomData<&'a ()>, } -impl <'a> SslCipher<'a> { +impl<'a> SslCipher<'a> { /// Returns the name of cipher. pub fn name(&self) -> &'static str { let name = unsafe { @@ -874,12 +874,18 @@ impl <'a> SslCipher<'a> { /// Returns the number of bits used for the cipher. pub fn bits(&self) -> CipherBits { unsafe { - let algo_bits : *mut c_int = ptr::null_mut(); + let algo_bits: *mut c_int = ptr::null_mut(); let secret_bits = ffi::SSL_CIPHER_get_bits(self.cipher, algo_bits); if !algo_bits.is_null() { - CipherBits { secret: secret_bits, algorithm: Some(*algo_bits) } + CipherBits { + secret: secret_bits, + algorithm: Some(*algo_bits), + } } else { - CipherBits { secret: secret_bits, algorithm: None } + CipherBits { + secret: secret_bits, + algorithm: None, + } } } } @@ -987,7 +993,9 @@ impl Ssl { { unsafe { let verify = Box::new(verify); - ffi::SSL_set_ex_data(self.ssl, get_ssl_verify_data_idx::(), mem::transmute(verify)); + ffi::SSL_set_ex_data(self.ssl, + get_ssl_verify_data_idx::(), + mem::transmute(verify)); ffi::SSL_set_verify(self.ssl, mode.bits as c_int, Some(ssl_raw_verify::)); } } @@ -999,7 +1007,10 @@ impl Ssl { if ptr.is_null() { None } else { - Some(SslCipher{ cipher: ptr, ph: PhantomData }) + Some(SslCipher { + cipher: ptr, + ph: PhantomData, + }) } } } @@ -1052,8 +1063,8 @@ impl Ssl { /// Returns the name of the protocol used for the connection, e.g. "TLSv1.2", "SSLv3", etc. pub fn version(&self) -> &'static str { let version = unsafe { - let ptr = ffi::SSL_get_version(self.ssl); - CStr::from_ptr(ptr as *const _) + let ptr = ffi::SSL_get_version(self.ssl); + CStr::from_ptr(ptr as *const _) }; str::from_utf8(version.to_bytes()).unwrap() @@ -1224,7 +1235,8 @@ impl Clone for SslStream { } } -impl fmt::Debug for SslStream where S: fmt::Debug +impl fmt::Debug for SslStream + where S: fmt::Debug { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { fmt.debug_struct("SslStream") @@ -1385,7 +1397,8 @@ impl SslStream { } } LibSslError::ErrorZeroReturn => Some(SslError::SslSessionClosed), - LibSslError::ErrorWantWrite | LibSslError::ErrorWantRead => None, + LibSslError::ErrorWantWrite | + LibSslError::ErrorWantRead => None, err => { Some(SslError::StreamError(io::Error::new(io::ErrorKind::Other, format!("unexpected error {:?}", err)))) @@ -1401,8 +1414,7 @@ impl SslStream { } #[cfg(not(feature = "nightly"))] - fn check_panic(&mut self) { - } + fn check_panic(&mut self) {} fn get_bio_error(&mut self) -> io::Error { let error = unsafe { bio::take_error::(self.ssl.get_raw_rbio()) }; @@ -1513,7 +1525,8 @@ pub enum MaybeSslStream Normal(S), } -impl Read for MaybeSslStream where S: Read + Write +impl Read for MaybeSslStream + where S: Read + Write { fn read(&mut self, buf: &mut [u8]) -> io::Result { match *self { @@ -1523,7 +1536,8 @@ impl Read for MaybeSslStream where S: Read + Write } } -impl Write for MaybeSslStream where S: Read + Write +impl Write for MaybeSslStream + where S: Read + Write { fn write(&mut self, buf: &[u8]) -> io::Result { match *self { @@ -1540,7 +1554,8 @@ impl Write for MaybeSslStream where S: Read + Write } } -impl MaybeSslStream where S: Read + Write +impl MaybeSslStream + where S: Read + Write { /// Returns a reference to the underlying stream. pub fn get_ref(&self) -> &S { diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index ccdc44e4..5339f27e 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -236,7 +236,7 @@ run_test!(verify_untrusted, |method, stream| { match SslStream::connect_generic(&ctx, stream) { Ok(_) => panic!("expected failure"), - Err(err) => println!("error {:?}", err) + Err(err) => println!("error {:?}", err), } }); @@ -246,11 +246,11 @@ run_test!(verify_trusted, |method, stream| { match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} - Err(err) => panic!("Unexpected error {:?}", err) + Err(err) => panic!("Unexpected error {:?}", err), } match SslStream::connect_generic(&ctx, stream) { Ok(_) => (), - Err(err) => panic!("Expected success, got {:?}", err) + Err(err) => panic!("Expected success, got {:?}", err), } }); @@ -264,7 +264,7 @@ run_test!(verify_untrusted_callback_override_ok, |method, stream| { match SslStream::connect_generic(&ctx, stream) { Ok(_) => (), - Err(err) => panic!("Expected success, got {:?}", err) + Err(err) => panic!("Expected success, got {:?}", err), } }); @@ -289,11 +289,11 @@ run_test!(verify_trusted_callback_override_ok, |method, stream| { match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} - Err(err) => panic!("Unexpected error {:?}", err) + Err(err) => panic!("Unexpected error {:?}", err), } match SslStream::connect_generic(&ctx, stream) { Ok(_) => (), - Err(err) => panic!("Expected success, got {:?}", err) + Err(err) => panic!("Expected success, got {:?}", err), } }); @@ -307,7 +307,7 @@ run_test!(verify_trusted_callback_override_bad, |method, stream| { match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} - Err(err) => panic!("Unexpected error {:?}", err) + Err(err) => panic!("Unexpected error {:?}", err), } assert!(SslStream::connect_generic(&ctx, stream).is_err()); }); @@ -335,7 +335,7 @@ run_test!(verify_trusted_get_error_ok, |method, stream| { match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} - Err(err) => panic!("Unexpected error {:?}", err) + Err(err) => panic!("Unexpected error {:?}", err), } assert!(SslStream::connect_generic(&ctx, stream).is_ok()); }); @@ -353,8 +353,7 @@ run_test!(verify_trusted_get_error_err, |method, stream| { }); run_test!(verify_callback_data, |method, stream| { - fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, - node_id: &Vec) -> bool { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec) -> bool { let cert = x509_ctx.get_current_cert(); match cert { None => false, @@ -377,7 +376,7 @@ run_test!(verify_callback_data, |method, stream| { match SslStream::connect_generic(&ctx, stream) { Ok(_) => (), - Err(err) => panic!("Expected success, got {:?}", err) + Err(err) => panic!("Expected success, got {:?}", err), } }); @@ -405,7 +404,7 @@ run_test!(ssl_verify_callback, |method, stream| { match SslStream::connect_generic(ssl, stream) { Ok(_) => (), - Err(err) => panic!("Expected success, got {:?}", err) + Err(err) => panic!("Expected success, got {:?}", err), } assert_eq!(CHECKED.load(Ordering::SeqCst), 1); @@ -499,8 +498,7 @@ fn test_write_direct() { } run_test!(get_peer_certificate, |method, stream| { - let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), - stream).unwrap(); + let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), stream).unwrap(); let cert = stream.ssl().peer_certificate().unwrap(); let fingerprint = cert.fingerprint(SHA1).unwrap(); let node_hash_str = "E19427DAC79FBE758394945276A6E4F15F0BEBE6"; -- cgit v1.2.3 From 121169c1f57bf0b1130b400d9ed6431855fb2e73 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 1 Jul 2016 18:31:47 -0400 Subject: Set auto retry SSL_read returns a WANT_READ after a renegotiation by default which ends up bubbling up as a weird BUG error. Tell OpenSSL to just do the read again. --- openssl/src/ssl/mod.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index f207416f..d0954bc7 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -566,6 +566,9 @@ impl SslContext { let ctx = SslContext { ctx: ctx }; + // this is a bit dubious (?) + try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY)); + if method.is_dtls() { ctx.set_read_ahead(1); } @@ -648,8 +651,12 @@ impl SslContext { } } + fn set_mode(&self, mode: c_long) -> Result<(), SslError> { + wrap_ssl_result(unsafe { ffi_extras::SSL_CTX_set_mode(self.ctx, mode) as c_int }) + } + pub fn set_tmp_dh(&self, dh: DH) -> Result<(), SslError> { - wrap_ssl_result(unsafe { ffi_extras::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32 }) + wrap_ssl_result(unsafe { ffi_extras::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as c_int }) } /// Use the default locations of trusted certificates for verification. -- cgit v1.2.3 From 722a2bd673bac57faf450d5548a057481fa98cf0 Mon Sep 17 00:00:00 2001 From: Shaun Taheri Date: Fri, 22 Jul 2016 18:16:55 +0200 Subject: Set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag --- openssl/src/ssl/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'openssl/src/ssl') diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d0954bc7..0252b114 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -567,7 +567,7 @@ impl SslContext { let ctx = SslContext { ctx: ctx }; // this is a bit dubious (?) - try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY)); + try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY | ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)); if method.is_dtls() { ctx.set_read_ahead(1); -- cgit v1.2.3