diff options
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/src/ssl/mod.rs | 24 | ||||
| -rw-r--r-- | openssl/src/x509/store.rs | 79 | ||||
| -rw-r--r-- | openssl/src/x509/verify.rs | 71 |
3 files changed, 173 insertions, 1 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e69b3ca5..639fa948 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1342,6 +1342,30 @@ impl SslContextBuilder { unsafe { X509StoreBuilderRef::from_ptr_mut(ffi::SSL_CTX_get_cert_store(self.as_ptr())) } } + /// Returns a reference to the X509 verification configuration. + /// + /// Requires OpenSSL 1.0.2 or newer. + /// + /// This corresponds to [`SSL_CTX_get0_param`]. + /// + /// [`SSL_CTX_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_get0_param.html + #[cfg(any(ossl102, libressl261))] + pub fn verify_param(&self) -> &X509VerifyParamRef { + unsafe { X509VerifyParamRef::from_ptr(ffi::SSL_CTX_get0_param(self.as_ptr())) } + } + + /// Returns a mutable reference to the X509 verification configuration. + /// + /// Requires OpenSSL 1.0.2 or newer. + /// + /// This corresponds to [`SSL_CTX_get0_param`]. + /// + /// [`SSL_CTX_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_get0_param.html + #[cfg(any(ossl102, libressl261))] + pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef { + unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_CTX_get0_param(self.as_ptr())) } + } + /// Sets the callback dealing with OCSP stapling. /// /// On the client side, this callback is responsible for validating the OCSP status response diff --git a/openssl/src/x509/store.rs b/openssl/src/x509/store.rs index 2ccc78d7..5ae62321 100644 --- a/openssl/src/x509/store.rs +++ b/openssl/src/x509/store.rs @@ -94,6 +94,85 @@ impl X509StoreBuilderRef { pub fn set_default_paths(&mut self) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_default_paths(self.as_ptr())).map(|_| ()) } } + + /// Adds a lookup method to the store. + /// + /// This corresponds to [`X509_STORE_add_lookup`]. + /// + /// [`X509_STORE_add_lookup`]: https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_add_lookup.html + pub fn add_lookup<T>( + &mut self, + method: &'static X509LookupMethodRef<T>, + ) -> Result<&mut X509LookupRef<T>, ErrorStack> { + let lookup = unsafe { ffi::X509_STORE_add_lookup(self.as_ptr(), method.as_ptr()) }; + cvt_p(lookup).map(|ptr| unsafe { X509LookupRef::from_ptr_mut(ptr) }) + } +} + +generic_foreign_type_and_impl_send_sync! { + type CType = ffi::X509_LOOKUP; + fn drop = ffi::X509_LOOKUP_free; + + /// Information used by an `X509Store` to look up certificates and CRLs. + pub struct X509Lookup<T>; + /// Reference to an `X509Lookup`. + pub struct X509LookupRef<T>; +} + +/// Marker type corresponding to the [`X509_LOOKUP_hash_dir`] lookup method. +/// +/// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_hash_dir.html +pub struct HashDir; + +impl X509Lookup<HashDir> { + /// Lookup method that loads certificates and CRLs on demand and caches + /// them in memory once they are loaded. It also checks for newer CRLs upon + /// each lookup, so that newer CRLs are used as soon as they appear in the + /// directory. + /// + /// This corresponds to [`X509_LOOKUP_hash_dir`]. + /// + /// [`X509_LOOKUP_hash_dir`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_hash_dir.html + pub fn hash_dir() -> &'static X509LookupMethodRef<HashDir> { + unsafe { X509LookupMethodRef::from_ptr(ffi::X509_LOOKUP_hash_dir()) } + } +} + +impl X509LookupRef<HashDir> { + /// Specifies a directory from which certificates and CRLs will be loaded + /// on-demand. Must be used with `X509Lookup::hash_dir`. + /// + /// This corresponds to [`X509_LOOKUP_add_dir`]. + /// + /// [`X509_LOOKUP_add_dir`]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_add_dir.html + pub fn add_dir( + &mut self, + name: &str, + file_type: crate::ssl::SslFiletype, + ) -> Result<(), ErrorStack> { + let name = std::ffi::CString::new(name).unwrap(); + unsafe { + cvt(ffi::X509_LOOKUP_add_dir( + self.as_ptr(), + name.as_ptr(), + file_type.as_raw(), + )) + .map(|_| ()) + } + } +} + +generic_foreign_type_and_impl_send_sync! { + type CType = ffi::X509_LOOKUP_METHOD; + fn drop = |_method| { + #[cfg(ossl110)] + ffi::X509_LOOKUP_meth_free(_method); + }; + + /// Method used to look up certificates and CRLs. + pub struct X509LookupMethod<T>; + /// Reference to an `X509LookupMethod`. + pub struct X509LookupMethodRef<T>; } foreign_type_and_impl_send_sync! { diff --git a/openssl/src/x509/verify.rs b/openssl/src/x509/verify.rs index 3fce03c1..e2d570c9 100644 --- a/openssl/src/x509/verify.rs +++ b/openssl/src/x509/verify.rs @@ -1,6 +1,6 @@ use ffi; use foreign_types::ForeignTypeRef; -use libc::c_uint; +use libc::{c_uint, c_ulong}; use std::net::IpAddr; use cvt; @@ -23,6 +23,41 @@ bitflags! { } } +bitflags! { + /// Flags used to verify an `X509` certificate chain. + pub struct X509VerifyFlags: c_ulong { + const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK; + const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME; + const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK; + const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL; + const IGNORE_CRITICAL = ffi::X509_V_FLAG_X509_STRICT; + const X509_STRICT = ffi::X509_V_FLAG_IGNORE_CRITICAL; + const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS; + const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK; + const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY; + const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY; + const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP; + const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY; + const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT; + const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS; + const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE; + #[cfg(ossl102)] + const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST; + #[cfg(ossl102)] + const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY; + #[cfg(ossl102)] + const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS; + #[cfg(ossl102)] + const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS; + #[cfg(ossl102)] + const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN; + #[cfg(ossl110)] + const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS; + #[cfg(ossl110)] + const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME; + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_VERIFY_PARAM; fn drop = ffi::X509_VERIFY_PARAM_free; @@ -45,6 +80,40 @@ impl X509VerifyParamRef { } } + /// Set verification flags. + /// + /// This corresponds to [`X509_VERIFY_PARAM_set_flags`]. + /// + /// [`X509_VERIFY_PARAM_set_flags`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set_flags.html + pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { + unsafe { cvt(ffi::X509_VERIFY_PARAM_set_flags(self.as_ptr(), flags.bits)).map(|_| ()) } + } + + /// Clear verification flags. + /// + /// This corresponds to [`X509_VERIFY_PARAM_clear_flags`]. + /// + /// [`X509_VERIFY_PARAM_clear_flags`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_clear_flags.html + pub fn clear_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_VERIFY_PARAM_clear_flags( + self.as_ptr(), + flags.bits, + )) + .map(|_| ()) + } + } + + /// Gets verification flags. + /// + /// This corresponds to [`X509_VERIFY_PARAM_get_flags`]. + /// + /// [`X509_VERIFY_PARAM_get_flags`]: https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_get_flags.html + pub fn get_flags(&mut self) -> X509VerifyFlags { + let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) }; + X509VerifyFlags { bits } + } + /// Set the expected DNS hostname. /// /// This corresponds to [`X509_VERIFY_PARAM_set1_host`]. |