mirror of https://github.com/ctz/rustls
Merge branch 'feat-ip-address' into main
This commit is contained in:
commit
af65d961ee
|
@ -20,8 +20,13 @@ If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md).
|
|||
|
||||
## Release history
|
||||
|
||||
* Next release
|
||||
* Future release
|
||||
- Planned: removal of unused signature verification schemes at link-time.
|
||||
- Planned: removal of unused protocol versions at link-time.
|
||||
* Next release: 0.21.0 (2023-xx-xx)
|
||||
- Support for connecting to peers named with IP addresses. This means
|
||||
rustls now depends on a fork of webpki - `rustls-webpki` - with a suitably
|
||||
extended API.
|
||||
* 0.20.8 (2023-01-12)
|
||||
- Yield an error from `ConnectionCommon::read_tls()` if buffers are full.
|
||||
Both a full deframer buffer and a full incoming plaintext buffer will
|
||||
|
|
|
@ -75,4 +75,9 @@ mod online {
|
|||
fn apple() {
|
||||
check("www.apple.com")
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn cloudflare_1_1_1_1_dns() {
|
||||
check("1.1.1.1")
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
[package]
|
||||
name = "rustls"
|
||||
version = "0.20.8"
|
||||
version = "0.21.0-alpha.1"
|
||||
edition = "2021"
|
||||
rust-version = "1.57"
|
||||
license = "Apache-2.0/ISC/MIT"
|
||||
|
@ -19,7 +19,7 @@ rustversion = { version = "1.0.6", optional = true }
|
|||
log = { version = "0.4.4", optional = true }
|
||||
ring = "0.16.20"
|
||||
sct = "0.7.0"
|
||||
webpki = { version = "0.22.0", features = ["alloc", "std"] }
|
||||
webpki = { package = "rustls-webpki", version = "0.100.0-alpha.2", features = ["alloc", "std"] }
|
||||
|
||||
[features]
|
||||
default = ["logging", "tls12"]
|
||||
|
|
|
@ -107,7 +107,7 @@ impl CertifiedKey {
|
|||
// that the certificate is valid for, if the certificate is
|
||||
// valid.
|
||||
if end_entity_cert
|
||||
.verify_is_valid_for_dns_name(name)
|
||||
.verify_is_valid_for_subject_name(webpki::SubjectNameRef::DnsName(name))
|
||||
.is_err()
|
||||
{
|
||||
return Err(Error::General(
|
||||
|
|
|
@ -345,13 +345,6 @@ impl ServerCertVerifier for WebPkiVerifier {
|
|||
let (cert, chain, trustroots) = prepare(end_entity, intermediates, &self.roots)?;
|
||||
let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;
|
||||
|
||||
let dns_name = match server_name {
|
||||
ServerName::DnsName(dns_name) => dns_name,
|
||||
ServerName::IpAddress(_) => {
|
||||
return Err(Error::UnsupportedNameType);
|
||||
}
|
||||
};
|
||||
|
||||
let cert = cert
|
||||
.verify_is_valid_tls_server_cert(
|
||||
SUPPORTED_SIG_ALGS,
|
||||
|
@ -370,9 +363,22 @@ impl ServerCertVerifier for WebPkiVerifier {
|
|||
trace!("Unvalidated OCSP response: {:?}", ocsp_response.to_vec());
|
||||
}
|
||||
|
||||
cert.verify_is_valid_for_dns_name(dns_name.0.as_ref())
|
||||
.map_err(pki_error)
|
||||
.map(|_| ServerCertVerified::assertion())
|
||||
match server_name {
|
||||
ServerName::DnsName(dns_name) => {
|
||||
let name = webpki::SubjectNameRef::DnsName(dns_name.0.as_ref());
|
||||
cert.verify_is_valid_for_subject_name(name)
|
||||
.map_err(pki_error)
|
||||
.map(|_| ServerCertVerified::assertion())
|
||||
}
|
||||
ServerName::IpAddress(ip_addr) => {
|
||||
let ip_addr = webpki::IpAddr::from(*ip_addr);
|
||||
cert.verify_is_valid_for_subject_name(webpki::SubjectNameRef::IpAddress(
|
||||
webpki::IpAddrRef::from(&ip_addr),
|
||||
))
|
||||
.map_err(pki_error)
|
||||
.map(|_| ServerCertVerified::assertion())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue