Support IP addresses in server names (#302)

jsha · jsha · commit ed82a03f2481 · 2023-03-29T11:38:53.000-07:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/client.rs b/src/client.rs
@@ -1,3 +1,4 @@
+use std::borrow::Cow;
 use std::convert::{TryFrom, TryInto};
 use std::ffi::{CStr, OsStr};
 use std::fs::File;
@@ -176,12 +177,15 @@ impl rustls_client_config_builder {
 
 /// Input to a custom certificate verifier callback. See
 /// rustls_client_config_builder_dangerous_set_certificate_verifier().
+///
+/// server_name can contain a hostname, an IPv4 address in textual form, or an
+/// IPv6 address in textual form.
 #[allow(non_camel_case_types)]
 #[repr(C)]
 pub struct rustls_verify_server_cert_params<'a> {
     pub end_entity_cert_der: rustls_slice_bytes<'a>,
     pub intermediate_certs_der: &'a rustls_slice_slice_bytes<'a>,
-    pub dns_name: rustls_str<'a>,
+    pub server_name: rustls_str<'a>,
     pub ocsp_response: rustls_slice_bytes<'a>,
 }
 
@@ -233,11 +237,12 @@ impl rustls::client::ServerCertVerifier for Verifier {
         _now: SystemTime,
     ) -> Result<ServerCertVerified, rustls::Error> {
         let cb = self.callback;
-        let dns_name: &str = match server_name {
-            rustls::ServerName::DnsName(n) => n.as_ref(),
+        let server_name: Cow<'_, str> = match server_name {
+            rustls::ServerName::DnsName(n) => n.as_ref().into(),
+            rustls::ServerName::IpAddress(ip) => ip.to_string().into(),
             _ => return Err(rustls::Error::General("unknown name type".to_string())),
         };
-        let dns_name: rustls_str = match dns_name.try_into() {
+        let server_name: rustls_str = match server_name.as_ref().try_into() {
             Ok(r) => r,
             Err(NulByte {}) => return Err(rustls::Error::General("NUL byte in SNI".to_string())),
         };
@@ -251,7 +256,7 @@ impl rustls::client::ServerCertVerifier for Verifier {
         let params = rustls_verify_server_cert_params {
             end_entity_cert_der: end_entity.as_ref().into(),
             intermediate_certs_der: &intermediates,
-            dns_name,
+            server_name,
             ocsp_response: ocsp_response.into(),
         };
         let userdata = userdata_get().map_err(|_| {
@@ -282,18 +287,10 @@ impl rustls_client_config_builder {
     /// to make such mutation safe.
     ///
     /// The callback receives certificate chain information as raw bytes.
-    /// Currently this library offers no functions for C code to parse the
-    /// certificates, so you'll need to bring your own certificate parsing library
+    /// Currently this library offers no functions to parse the certificates,
+    /// so you'll need to bring your own certificate parsing library
     /// if you need to parse them.
     ///
-    /// If you intend to write a verifier that accepts all certificates, be aware
-    /// that special measures are required for IP addresses. Rustls currently
-    /// (0.20.0) doesn't support building a ClientConnection with an IP address
-    /// (because it's not a valid DnsNameRef). One workaround is to detect IP
-    /// addresses and rewrite them to `example.invalid`, and _also_ to disable
-    /// SNI via rustls_client_config_builder_set_enable_sni (IP addresses don't
-    /// need SNI).
-    ///
     /// If the custom verifier accepts the certificate, it should return
     /// RUSTLS_RESULT_OK. Otherwise, it may return any other rustls_result error.
     /// Feel free to use an appropriate error from the RUSTLS_RESULT_CERT_*
@@ -534,25 +531,29 @@ impl rustls_client_config {
     /// non-error, the memory pointed to by `conn_out` is modified to point at a
     /// valid rustls_connection. The caller now owns the rustls_connection and must
     /// call `rustls_connection_free` when done with it.
+    ///
+    /// The server_name parameter can contain a hostname or an IP address in
+    /// textual form (IPv4 or IPv6). This function will return an error if it
+    /// cannot be parsed as one of those types.
     #[no_mangle]
     pub extern "C" fn rustls_client_connection_new(
         config: *const rustls_client_config,
-        hostname: *const c_char,
+        server_name: *const c_char,
         conn_out: *mut *mut rustls_connection,
     ) -> rustls_result {
         ffi_panic_boundary! {
-        let hostname: &CStr = unsafe {
-            if hostname.is_null() {
+        let server_name: &CStr = unsafe {
+            if server_name.is_null() {
                 return NullParameter;
             }
-            CStr::from_ptr(hostname)
+            CStr::from_ptr(server_name)
         };
         let config: Arc<ClientConfig> = try_arc_from_ptr!(config);
-        let hostname: &str = match hostname.to_str() {
+        let server_name: &str = match server_name.to_str() {
             Ok(s) => s,
             Err(std::str::Utf8Error { .. }) => return rustls_result::InvalidDnsNameError,
         };
-        let server_name: rustls::ServerName = match hostname.try_into() {
+        let server_name: rustls::ServerName = match server_name.try_into() {
             Ok(sn) => sn,
             Err(_) => return rustls_result::InvalidDnsNameError,
         };
@@ -645,4 +646,21 @@ mod tests {
         );
         rustls_connection::rustls_connection_free(conn);
     }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn test_client_connection_new_ipaddress() {
+        let builder: *mut rustls_client_config_builder =
+            rustls_client_config_builder::rustls_client_config_builder_new();
+        let config = rustls_client_config_builder::rustls_client_config_builder_build(builder);
+        let mut conn: *mut rustls_connection = null_mut();
+        let result = rustls_client_config::rustls_client_connection_new(
+            config,
+            "198.51.100.198\0".as_ptr() as *const c_char,
+            &mut conn,
+        );
+        if !matches!(result, rustls_result::Ok) {
+            panic!("expected RUSTLS_RESULT_OK, got {:?}", result);
+        }
+    }
 }
diff --git a/src/rustls.h b/src/rustls.h
@@ -327,11 +327,14 @@ typedef void *rustls_verify_server_cert_user_data;
 /**
  * Input to a custom certificate verifier callback. See
  * rustls_client_config_builder_dangerous_set_certificate_verifier().
+ *
+ * server_name can contain a hostname, an IPv4 address in textual form, or an
+ * IPv6 address in textual form.
  */
 typedef struct rustls_verify_server_cert_params {
   struct rustls_slice_bytes end_entity_cert_der;
   const struct rustls_slice_slice_bytes *intermediate_certs_der;
-  struct rustls_str dns_name;
+  struct rustls_str server_name;
   struct rustls_slice_bytes ocsp_response;
 } rustls_verify_server_cert_params;
 
@@ -403,11 +406,12 @@ typedef struct rustls_slice_u16 {
 
 /**
  * The TLS Client Hello information provided to a ClientHelloCallback function.
- * `sni_name` is the SNI servername provided by the client. If the client
- * did not provide an SNI, the length of this `rustls_string` will be 0. The
- * signature_schemes carries the values supplied by the client or, should
- * the client not use this TLS extension, the default schemes in the rustls
- * library. See: <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.SignatureScheme.html>.
+ * `server_name` is the value of the ServerNameIndication extension provided
+ * by the client. If the client did not send an SNI, the length of this
+ * `rustls_string` will be 0. The signature_schemes field carries the values
+ * supplied by the client or, if the client did not send this TLS extension,
+ * the default schemes in the rustls library. See:
+ * <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.SignatureScheme.html>.
  * `alpn` carries the list of ALPN protocol names that the client proposed to
  * the server. Again, the length of this list will be 0 if none were supplied.
  *
@@ -419,7 +423,7 @@ typedef struct rustls_slice_u16 {
  * the rustls library is re-evaluating their current approach to client hello handling.
  */
 typedef struct rustls_client_hello {
-  struct rustls_str sni_name;
+  struct rustls_str server_name;
   struct rustls_slice_u16 signature_schemes;
   const struct rustls_slice_slice_bytes *alpn;
 } rustls_client_hello;
@@ -987,18 +991,10 @@ rustls_result rustls_client_config_builder_new_custom(const struct rustls_suppor
  * to make such mutation safe.
  *
  * The callback receives certificate chain information as raw bytes.
- * Currently this library offers no functions for C code to parse the
- * certificates, so you'll need to bring your own certificate parsing library
+ * Currently this library offers no functions to parse the certificates,
+ * so you'll need to bring your own certificate parsing library
  * if you need to parse them.
  *
- * If you intend to write a verifier that accepts all certificates, be aware
- * that special measures are required for IP addresses. Rustls currently
- * (0.20.0) doesn't support building a ClientConnection with an IP address
- * (because it's not a valid DnsNameRef). One workaround is to detect IP
- * addresses and rewrite them to `example.invalid`, and _also_ to disable
- * SNI via rustls_client_config_builder_set_enable_sni (IP addresses don't
- * need SNI).
- *
  * If the custom verifier accepts the certificate, it should return
  * RUSTLS_RESULT_OK. Otherwise, it may return any other rustls_result error.
  * Feel free to use an appropriate error from the RUSTLS_RESULT_CERT_*
@@ -1101,9 +1097,13 @@ void rustls_client_config_free(const struct rustls_client_config *config);
  * non-error, the memory pointed to by `conn_out` is modified to point at a
  * valid rustls_connection. The caller now owns the rustls_connection and must
  * call `rustls_connection_free` when done with it.
+ *
+ * The server_name parameter can contain a hostname or an IP address in
+ * textual form (IPv4 or IPv6). This function will return an error if it
+ * cannot be parsed as one of those types.
  */
 rustls_result rustls_client_connection_new(const struct rustls_client_config *config,
-                                           const char *hostname,
+                                           const char *server_name,
                                            struct rustls_connection **conn_out);
 
 /**
@@ -1496,9 +1496,9 @@ rustls_result rustls_server_connection_new(const struct rustls_server_config *co
  * <https://docs.rs/rustls/0.21.0/rustls/server/struct.ServerConnection.html#method.server_name>
  */
 rustls_result rustls_server_connection_get_server_name(const struct rustls_connection *conn,
-                                                        uint8_t *buf,
-                                                        size_t count,
-                                                        size_t *out_n);
+                                                       uint8_t *buf,
+                                                       size_t count,
+                                                       size_t *out_n);
 
 /**
  * Register a callback to be invoked when a connection created from this config
diff --git a/src/server.rs b/src/server.rs
@@ -430,11 +430,12 @@ impl ResolvesServerCert for ResolvesServerCertFromChoices {
 }
 
 /// The TLS Client Hello information provided to a ClientHelloCallback function.
-/// `sni_name` is the SNI servername provided by the client. If the client
-/// did not provide an SNI, the length of this `rustls_string` will be 0. The
-/// signature_schemes carries the values supplied by the client or, should
-/// the client not use this TLS extension, the default schemes in the rustls
-/// library. See: <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.SignatureScheme.html>.
+/// `server_name` is the value of the ServerNameIndication extension provided
+/// by the client. If the client did not send an SNI, the length of this
+/// `rustls_string` will be 0. The signature_schemes field carries the values
+/// supplied by the client or, if the client did not send this TLS extension,
+/// the default schemes in the rustls library. See:
+/// <https://docs.rs/rustls/0.20.0/rustls/internal/msgs/enums/enum.SignatureScheme.html>.
 /// `alpn` carries the list of ALPN protocol names that the client proposed to
 /// the server. Again, the length of this list will be 0 if none were supplied.
 ///
@@ -446,7 +447,7 @@ impl ResolvesServerCert for ResolvesServerCertFromChoices {
 /// the rustls library is re-evaluating their current approach to client hello handling.
 #[repr(C)]
 pub struct rustls_client_hello<'a> {
-    sni_name: rustls_str<'a>,
+    server_name: rustls_str<'a>,
     signature_schemes: rustls_slice_u16<'a>,
     alpn: *const rustls_slice_slice_bytes<'a>,
 }
@@ -502,13 +503,13 @@ impl ClientHelloResolver {
 
 impl ResolvesServerCert for ClientHelloResolver {
     fn resolve(&self, client_hello: ClientHello) -> Option<Arc<CertifiedKey>> {
-        let sni_name: &str = {
+        let server_name: &str = {
             match client_hello.server_name() {
                 Some(c) => c,
                 None => "",
             }
         };
-        let sni_name: rustls_str = match sni_name.try_into() {
+        let server_name: rustls_str = match server_name.try_into() {
             Ok(r) => r,
             Err(_) => return None,
         };
@@ -526,7 +527,7 @@ impl ResolvesServerCert for ClientHelloResolver {
         let alpn = rustls_slice_slice_bytes { inner: &alpn };
         let signature_schemes: rustls_slice_u16 = (&*mapped_sigs).into();
         let hello = rustls_client_hello {
-            sni_name,
+            server_name,
             signature_schemes,
             alpn: &alpn,
         };
