Merge branch 'feat-ip-address' into main

2023-01-13 15:51:31 +00:00 · 2023-01-13 15:51:31 +00:00 · af65d961ee
parent bdd1392a50 38e26f5755
commit af65d961ee
5 changed files with 30 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -20,8 +20,13 @@ If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md).

 ## Release history

-* Next release
+* Future release
  - Planned: removal of unused signature verification schemes at link-time.
+  - Planned: removal of unused protocol versions at link-time.
+* Next release: 0.21.0 (2023-xx-xx)
+  - Support for connecting to peers named with IP addresses.  This means
+    rustls now depends on a fork of webpki - `rustls-webpki` - with a suitably
+    extended API.
 * 0.20.8 (2023-01-12)
  - Yield an error from `ConnectionCommon::read_tls()` if buffers are full.
    Both a full deframer buffer and a full incoming plaintext buffer will
--- a/examples/tests/topsites.rs
+++ b/examples/tests/topsites.rs
@ -75,4 +75,9 @@ mod online {
    fn apple() {
        check("www.apple.com")
    }
+
+    #[test]
+    fn cloudflare_1_1_1_1_dns() {
+        check("1.1.1.1")
+    }
 }
--- a/rustls/Cargo.toml
+++ b/rustls/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "rustls"
-version = "0.20.8"
+version = "0.21.0-alpha.1"
 edition = "2021"
 rust-version = "1.57"
 license = "Apache-2.0/ISC/MIT"
@ -19,7 +19,7 @@ rustversion = { version = "1.0.6", optional = true }
 log = { version = "0.4.4", optional = true }
 ring = "0.16.20"
 sct = "0.7.0"
-webpki = { version = "0.22.0", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.100.0-alpha.2", features = ["alloc", "std"] }

 [features]
 default = ["logging", "tls12"]
--- a/rustls/src/sign.rs
+++ b/rustls/src/sign.rs
@ -107,7 +107,7 @@ impl CertifiedKey {
            // that the certificate is valid for, if the certificate is
            // valid.
            if end_entity_cert
-                .verify_is_valid_for_dns_name(name)
+                .verify_is_valid_for_subject_name(webpki::SubjectNameRef::DnsName(name))
                .is_err()
            {
                return Err(Error::General(
--- a/rustls/src/verify.rs
+++ b/rustls/src/verify.rs
@ -345,13 +345,6 @@ impl ServerCertVerifier for WebPkiVerifier {
        let (cert, chain, trustroots) = prepare(end_entity, intermediates, &self.roots)?;
        let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;

-        let dns_name = match server_name {
-            ServerName::DnsName(dns_name) => dns_name,
-            ServerName::IpAddress(_) => {
-                return Err(Error::UnsupportedNameType);
-            }
-        };
-
        let cert = cert
            .verify_is_valid_tls_server_cert(
                SUPPORTED_SIG_ALGS,
@ -370,9 +363,22 @@ impl ServerCertVerifier for WebPkiVerifier {
            trace!("Unvalidated OCSP response: {:?}", ocsp_response.to_vec());
        }

-        cert.verify_is_valid_for_dns_name(dns_name.0.as_ref())
-            .map_err(pki_error)
-            .map(|_| ServerCertVerified::assertion())
+        match server_name {
+            ServerName::DnsName(dns_name) => {
+                let name = webpki::SubjectNameRef::DnsName(dns_name.0.as_ref());
+                cert.verify_is_valid_for_subject_name(name)
+                    .map_err(pki_error)
+                    .map(|_| ServerCertVerified::assertion())
+            }
+            ServerName::IpAddress(ip_addr) => {
+                let ip_addr = webpki::IpAddr::from(*ip_addr);
+                cert.verify_is_valid_for_subject_name(webpki::SubjectNameRef::IpAddress(
+                    webpki::IpAddrRef::from(&ip_addr),
+                ))
+                .map_err(pki_error)
+                .map(|_| ServerCertVerified::assertion())
+            }
+        }
    }
 }