From af51b263b17faaa3e7cb0ecc5c305b858faea64c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 14 Oct 2016 17:39:31 -0700 Subject: Support hostname verification Closes #206 --- openssl/src/x509/verify.rs | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 openssl/src/x509/verify.rs (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs new file mode 100644 index 00000000..683836e8 --- /dev/null +++ b/openssl/src/x509/verify.rs @@ -0,0 +1,41 @@ +use std::marker::PhantomData; +use libc::c_uint; +use ffi; + +use error::ErrorStack; + +bitflags! { + pub flags X509CheckFlags: c_uint { + const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, + const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, + const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, + const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, + const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, + const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, + } +} + +pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); + +impl<'a> X509VerifyParamRef<'a> { + pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { + X509VerifyParamRef(ptr, PhantomData) + } + + pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { + unsafe { + ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); + } + } + + pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { + unsafe { + try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, + host.as_ptr() as *const _, + host.len())) + } + + Ok(()) + } +} -- cgit v1.2.3 From d976b8f59558f57561bd37b037955b47a328902f Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 14 Oct 2016 18:04:31 -0700 Subject: Enable hostname verification on 1.0.2 --- openssl/src/x509/verify.rs | 1 + 1 file changed, 1 insertion(+) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 683836e8..0fc1df3a 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -12,6 +12,7 @@ bitflags! { const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, + #[cfg(feature = "openssl-110")] const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, } } -- cgit v1.2.3 From 7ec015325b0d900ddaf375b62f5a52d4231dc9a2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 16 Oct 2016 21:07:17 -0700 Subject: Finish error overhaul --- openssl/src/x509/verify.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 0fc1df3a..87287875 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -32,11 +32,10 @@ impl<'a> X509VerifyParamRef<'a> { pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { - try_ssl!(ffi::X509_VERIFY_PARAM_set1_host(self.0, - host.as_ptr() as *const _, - host.len())) + cvt(ffi::X509_VERIFY_PARAM_set1_host(self.0, + host.as_ptr() as *const _, + host.len())) + .map(|_| ()) } - - Ok(()) } } -- cgit v1.2.3 From a938a001a7f64a9934b88e24f9c4115b1d0bebf6 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 16 Oct 2016 23:26:38 -0700 Subject: Fix missing import --- openssl/src/x509/verify.rs | 1 + 1 file changed, 1 insertion(+) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 87287875..5cce9bd7 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -2,6 +2,7 @@ use std::marker::PhantomData; use libc::c_uint; use ffi; +use cvt; use error::ErrorStack; bitflags! { -- cgit v1.2.3 From 194298a057bad2b79e45ef346a0e6f37f8bc0716 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 17 Oct 2016 21:21:09 -0700 Subject: Implement new feature setup The basic idea here is that there is a feature for each supported OpenSSL version. Enabling multiple features represents support for multiple OpenSSL versions, but it's then up to you to check which version you link against (probably by depending on openssl-sys and making a build script similar to what openssl does). --- openssl/src/x509/verify.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 5cce9bd7..be8d3d7e 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1,3 +1,7 @@ +//! X509 certificate verification +//! +//! Requires the `v102` or `v110` features and OpenSSL 1.0.2 or 1.1.0. + use std::marker::PhantomData; use libc::c_uint; use ffi; @@ -13,7 +17,8 @@ bitflags! { const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, - #[cfg(feature = "openssl-110")] + /// Requires the `v110` feature and OpenSSL 1.1.0. + #[cfg(all(feature = "v110", ossl110))] const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, } } -- cgit v1.2.3 From 02b4385c5d18534d7b02a3ebc3323b662251c36e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 21 Oct 2016 19:58:06 -0700 Subject: Convert X509VerifyParamRef --- openssl/src/x509/verify.rs | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index be8d3d7e..11c65dca 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -8,6 +8,7 @@ use ffi; use cvt; use error::ErrorStack; +use opaque::Opaque; bitflags! { pub flags X509CheckFlags: c_uint { @@ -23,22 +24,26 @@ bitflags! { } } -pub struct X509VerifyParamRef<'a>(*mut ffi::X509_VERIFY_PARAM, PhantomData<&'a mut ()>); +pub struct X509VerifyParamRef(Opaque); -impl<'a> X509VerifyParamRef<'a> { - pub unsafe fn from_ptr(ptr: *mut ffi::X509_VERIFY_PARAM) -> X509VerifyParamRef<'a> { - X509VerifyParamRef(ptr, PhantomData) +impl X509VerifyParamRef { + pub unsafe fn from_ptr_mut<'a>(ptr: *mut ffi::X509_VERIFY_PARAM) -> &'a mut X509VerifyParamRef { + &mut *(ptr as *mut _) + } + + pub fn as_ptr(&self) -> *mut ffi::X509_VERIFY_PARAM { + self as *const _ as *mut _ } pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { unsafe { - ffi::X509_VERIFY_PARAM_set_hostflags(self.0, hostflags.bits); + ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); } } pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { unsafe { - cvt(ffi::X509_VERIFY_PARAM_set1_host(self.0, + cvt(ffi::X509_VERIFY_PARAM_set1_host(self.as_ptr(), host.as_ptr() as *const _, host.len())) .map(|_| ()) -- cgit v1.2.3 From 6f1a3f2834b45a546edd0a3e736b498599c996bb Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 21 Oct 2016 20:26:53 -0700 Subject: Update BigNumRef --- openssl/src/x509/verify.rs | 1 - 1 file changed, 1 deletion(-) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 11c65dca..77095edc 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -2,7 +2,6 @@ //! //! Requires the `v102` or `v110` features and OpenSSL 1.0.2 or 1.1.0. -use std::marker::PhantomData; use libc::c_uint; use ffi; -- cgit v1.2.3 From 1a288da86ce1ca94b5a0b3eac8750e5ffd03e8e7 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Fri, 28 Oct 2016 22:14:44 -0700 Subject: Make verification unconditionally exposed internally --- openssl/src/x509/verify.rs | 51 ---------------------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 openssl/src/x509/verify.rs (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs deleted file mode 100644 index 77095edc..00000000 --- a/openssl/src/x509/verify.rs +++ /dev/null @@ -1,51 +0,0 @@ -//! X509 certificate verification -//! -//! Requires the `v102` or `v110` features and OpenSSL 1.0.2 or 1.1.0. - -use libc::c_uint; -use ffi; - -use cvt; -use error::ErrorStack; -use opaque::Opaque; - -bitflags! { - pub flags X509CheckFlags: c_uint { - const X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, - const X509_CHECK_FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS, - const X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, - const X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, - const X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS - = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, - /// Requires the `v110` feature and OpenSSL 1.1.0. - #[cfg(all(feature = "v110", ossl110))] - const X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, - } -} - -pub struct X509VerifyParamRef(Opaque); - -impl X509VerifyParamRef { - pub unsafe fn from_ptr_mut<'a>(ptr: *mut ffi::X509_VERIFY_PARAM) -> &'a mut X509VerifyParamRef { - &mut *(ptr as *mut _) - } - - pub fn as_ptr(&self) -> *mut ffi::X509_VERIFY_PARAM { - self as *const _ as *mut _ - } - - pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) { - unsafe { - ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits); - } - } - - pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_VERIFY_PARAM_set1_host(self.as_ptr(), - host.as_ptr() as *const _, - host.len())) - .map(|_| ()) - } - } -} -- cgit v1.2.3 From 85169e5a61645a411e67b4753b7455a0514271b2 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 29 Oct 2016 15:02:07 -0700 Subject: Fix reexport --- openssl/src/x509/verify.rs | 1 + 1 file changed, 1 insertion(+) create mode 100644 openssl/src/x509/verify.rs (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs new file mode 100644 index 00000000..aa264ba9 --- /dev/null +++ b/openssl/src/x509/verify.rs @@ -0,0 +1 @@ +pub use ::verify::*; -- cgit v1.2.3 From c2b38d8bb3f141e531a3e636b8a86a073d78f316 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 29 Oct 2016 15:02:36 -0700 Subject: Move docs --- openssl/src/x509/verify.rs | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'openssl/src/x509/verify.rs') diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index aa264ba9..8cb123e6 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1 +1,5 @@ +//! X509 certificate verification +//! +//! Requires the `v102` or `v110` features and OpenSSL 1.0.2 or 1.1.0. + pub use ::verify::*; -- cgit v1.2.3