From 214c3a60f04da5c5fe6f0722641a1272c795cde2 Mon Sep 17 00:00:00 2001 From: Jimmy Cuadra Date: Thu, 15 Oct 2015 08:54:46 -0700 Subject: [PATCH 01/29] Expose RSA_generate_key_ex. --- openssl-sys/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index bc177959..e26bec0a 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -513,6 +513,7 @@ extern "C" { pub fn RAND_bytes(buf: *mut u8, num: c_int) -> c_int; pub fn RSA_generate_key(modsz: c_int, e: c_ulong, cb: *const c_void, cbarg: *const c_void) -> *mut RSA; + pub fn RSA_generate_key_ex(rsa: *mut RSA, bits: c_int, e: *mut BIGNUM, cb: *const c_void) -> c_int; pub fn RSA_private_decrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, pad: c_int) -> c_int; pub fn RSA_public_encrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, From c37767df8fc1775858cd573cbe4d5e3a17fbd370 Mon Sep 17 00:00:00 2001 From: Jamie Turner Date: Sat, 19 Sep 2015 20:50:06 -0700 Subject: [PATCH 02/29] Nonblocking streams support. --- openssl-sys/src/lib.rs | 2 + openssl-sys/src/openssl_shim.c | 4 + openssl/Cargo.toml | 1 + openssl/src/ssl/error.rs | 44 ++++++- openssl/src/ssl/mod.rs | 231 ++++++++++++++++++++++++++++++++- openssl/src/ssl/tests.rs | 132 +++++++++++++++++++ 6 files changed, 412 insertions(+), 2 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index e26bec0a..96da64f3 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -678,6 +678,8 @@ extern "C" { // These functions are defined in OpenSSL as macros, so we shim them #[link_name = "BIO_eof_shim"] pub fn BIO_eof(b: *mut BIO) -> c_int; + #[link_name = "BIO_set_nbio_shim"] + pub fn BIO_set_nbio(b: *mut BIO, enabled: c_long) -> c_long; #[link_name = "BIO_set_mem_eof_return_shim"] pub fn BIO_set_mem_eof_return(b: *mut BIO, v: c_int); pub fn SSL_CTX_set_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long; diff --git a/openssl-sys/src/openssl_shim.c b/openssl-sys/src/openssl_shim.c index 8ebe23ac..84adb47b 100644 --- a/openssl-sys/src/openssl_shim.c +++ b/openssl-sys/src/openssl_shim.c @@ -83,6 +83,10 @@ int BIO_eof_shim(BIO *b) { return BIO_eof(b); } +long BIO_set_nbio_shim(BIO *b, long enabled) { + return BIO_set_nbio(b, enabled); +} + void BIO_set_mem_eof_return_shim(BIO *b, int v) { BIO_set_mem_eof_return(b, v); } diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 6607ef94..cd9f97c3 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -34,3 +34,4 @@ libc = "0.1" [dev-dependencies] rustc-serialize = "0.3" net2 = "0.2.13" +nix = "0.4" diff --git a/openssl/src/ssl/error.rs b/openssl/src/ssl/error.rs index 9ff6cae9..0126b277 100644 --- a/openssl/src/ssl/error.rs +++ b/openssl/src/ssl/error.rs @@ -17,7 +17,20 @@ pub enum SslError { /// The SSL session has been closed by the other end SslSessionClosed, /// An error in the OpenSSL library - OpenSslErrors(Vec) + OpenSslErrors(Vec), +} + +/// An error on a nonblocking stream. +#[derive(Debug)] +pub enum NonblockingSslError { + /// A standard SSL error occurred. + SslError(SslError), + /// The OpenSSL library wants data from the remote socket; + /// the caller should wait for read readiness. + WantRead, + /// The OpenSSL library wants to send data to the remote socket; + /// the caller should wait for write readiness. + WantWrite, } impl fmt::Display for SslError { @@ -59,6 +72,35 @@ impl error::Error for SslError { } } +impl fmt::Display for NonblockingSslError { + fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { + fmt.write_str(error::Error::description(self)) + } +} + +impl error::Error for NonblockingSslError { + fn description(&self) -> &str { + match *self { + NonblockingSslError::SslError(ref e) => e.description(), + NonblockingSslError::WantRead => "The OpenSSL library wants data from the remote socket", + NonblockingSslError::WantWrite => "The OpenSSL library want to send data to the remote socket", + } + } + + fn cause(&self) -> Option<&error::Error> { + match *self { + NonblockingSslError::SslError(ref e) => e.cause(), + _ => None + } + } +} + +impl From for NonblockingSslError { + fn from(e: SslError) -> NonblockingSslError { + NonblockingSslError::SslError(e) + } +} + /// An error from the OpenSSL library #[derive(Debug, Clone, PartialEq, Eq)] pub enum OpensslError { diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index e76529a5..62080056 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -22,7 +22,7 @@ use std::slice; use bio::{MemBio}; use ffi; use dh::DH; -use ssl::error::{SslError, SslSessionClosed, StreamError, OpenSslErrors}; +use ssl::error::{NonblockingSslError, SslError, SslSessionClosed, StreamError, OpenSslErrors}; use x509::{X509StoreContext, X509FileType, X509}; use crypto::pkey::PKey; @@ -1465,3 +1465,232 @@ impl MaybeSslStream where S: Read+Write { } } } + +/// An SSL stream wrapping a nonblocking socket. +#[derive(Clone)] +pub struct NonblockingSslStream { + stream: S, + ssl: Arc, +} + +impl NonblockingSslStream { + pub fn try_clone(&self) -> io::Result> { + Ok(NonblockingSslStream { + stream: try!(self.stream.try_clone()), + ssl: self.ssl.clone(), + }) + } +} + +impl NonblockingSslStream { + fn new_base(ssl: Ssl, stream: S, sock: c_int) -> Result, SslError> { + unsafe { + let bio = try_ssl_null!(ffi::BIO_new_socket(sock, 0)); + ffi::BIO_set_nbio(bio, 1); + ffi::SSL_set_bio(ssl.ssl, bio, bio); + } + + Ok(NonblockingSslStream { + stream: stream, + ssl: Arc::new(ssl), + }) + } + + fn make_error(&self, ret: c_int) -> NonblockingSslError { + match self.ssl.get_error(ret) { + LibSslError::ErrorSsl => NonblockingSslError::SslError(SslError::get()), + LibSslError::ErrorSyscall => { + let err = SslError::get(); + let count = match err { + SslError::OpenSslErrors(ref v) => v.len(), + _ => unreachable!(), + }; + let ssl_error = if count == 0 { + if ret == 0 { + SslError::StreamError(io::Error::new(io::ErrorKind::ConnectionAborted, + "unexpected EOF observed")) + } else { + SslError::StreamError(io::Error::last_os_error()) + } + } else { + err + }; + ssl_error.into() + }, + LibSslError::ErrorWantWrite => NonblockingSslError::WantWrite, + LibSslError::ErrorWantRead => NonblockingSslError::WantRead, + err => panic!("unexpected error {:?} with ret {}", err, ret), + } + } + + /// Returns a reference to the underlying stream. + pub fn get_ref(&self) -> &S { + &self.stream + } + + /// Returns a mutable reference to the underlying stream. + /// + /// ## Warning + /// + /// It is inadvisable to read from or write to the underlying stream as it + /// will most likely corrupt the SSL session. + pub fn get_mut(&mut self) -> &mut S { + &mut self.stream + } + + /// Returns a reference to the Ssl. + pub fn ssl(&self) -> &Ssl { + &self.ssl + } +} + +#[cfg(unix)] +impl NonblockingSslStream { + /// Create a new nonblocking client ssl connection on wrapped `stream`. + /// + /// Note that this method will most likely not actually complete the SSL + /// handshake because doing so requires several round trips; the handshake will + /// be completed in subsequent read/write calls managed by your event loop. + pub fn connect(ssl: T, stream: S) -> Result, SslError> { + let ssl = try!(ssl.into_ssl()); + let fd = stream.as_raw_fd() as c_int; + let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd)); + let ret = ssl.ssl.connect(); + if ret > 0 { + Ok(ssl) + } else { + // WantRead/WantWrite is okay here; we'll finish the handshake in + // subsequent send/recv calls. + match ssl.make_error(ret) { + NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl), + NonblockingSslError::SslError(other) => Err(other), + } + } + } + + /// Create a new nonblocking server ssl connection on wrapped `stream`. + /// + /// Note that this method will most likely not actually complete the SSL + /// handshake because doing so requires several round trips; the handshake will + /// be completed in subsequent read/write calls managed by your event loop. + pub fn accept(ssl: T, stream: S) -> Result, SslError> { + let ssl = try!(ssl.into_ssl()); + let fd = stream.as_raw_fd() as c_int; + let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd)); + let ret = ssl.ssl.accept(); + if ret > 0 { + Ok(ssl) + } else { + // WantRead/WantWrite is okay here; we'll finish the handshake in + // subsequent send/recv calls. + match ssl.make_error(ret) { + NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl), + NonblockingSslError::SslError(other) => Err(other), + } + } + } +} + +#[cfg(unix)] +impl ::std::os::unix::io::AsRawFd for NonblockingSslStream { + fn as_raw_fd(&self) -> ::std::os::unix::io::RawFd { + self.stream.as_raw_fd() + } +} + +#[cfg(windows)] +impl NonblockingSslStream { + /// Create a new nonblocking client ssl connection on wrapped `stream`. + /// + /// Note that this method will most likely not actually complete the SSL + /// handshake because doing so requires several round trips; the handshake will + /// be completed in subsequent read/write calls managed by your event loop. + pub fn connect(ssl: T, stream: S) -> Result, SslError> { + let ssl = try!(ssl.into_ssl()); + let fd = stream.as_raw_socket() as c_int; + let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd)); + let ret = ssl.ssl.connect(); + if ret > 0 { + Ok(ssl) + } else { + // WantRead/WantWrite is okay here; we'll finish the handshake in + // subsequent send/recv calls. + match ssl.make_error(ret) { + NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl), + NonblockingSslError::SslError(other) => Err(other), + } + } + } + + /// Create a new nonblocking server ssl connection on wrapped `stream`. + /// + /// Note that this method will most likely not actually complete the SSL + /// handshake because doing so requires several round trips; the handshake will + /// be completed in subsequent read/write calls managed by your event loop. + pub fn accept(ssl: T, stream: S) -> Result, SslError> { + let ssl = try!(ssl.into_ssl()); + let fd = stream.as_raw_socket() as c_int; + let ssl = try!(NonblockingSslStream::new_base(ssl, stream, fd)); + let ret = ssl.ssl.accept(); + if ret > 0 { + Ok(ssl) + } else { + // WantRead/WantWrite is okay here; we'll finish the handshake in + // subsequent send/recv calls. + match ssl.make_error(ret) { + NonblockingSslError::WantRead | NonblockingSslError::WantWrite => Ok(ssl), + NonblockingSslError::SslError(other) => Err(other), + } + } + } +} + +impl NonblockingSslStream { + /// Read bytes from the SSL stream into `buf`. + /// + /// Given the SSL state machine, this method may return either `WantWrite` + /// or `WantRead` to indicate that your event loop should respectively wait + /// for write or read readiness on the underlying stream. Upon readiness, + /// repeat your `read()` call with the same arguments each time until you + /// receive an `Ok(count)`. + /// + /// An `SslError` return value, is terminal; do not re-attempt your read. + /// + /// As expected of a nonblocking API, this method will never block your + /// thread on I/O. + /// + /// On a return value of `Ok(count)`, count is the number of decrypted + /// plaintext bytes copied into the `buf` slice. + pub fn read(&mut self, buf: &mut [u8]) -> Result { + let ret = self.ssl.read(buf); + if ret >= 0 { + Ok(ret as usize) + } else { + Err(self.make_error(ret)) + } + } + + /// Write bytes from `buf` to the SSL stream. + /// + /// Given the SSL state machine, this method may return either `WantWrite` + /// or `WantRead` to indicate that your event loop should respectively wait + /// for write or read readiness on the underlying stream. Upon readiness, + /// repeat your `write()` call with the same arguments each time until you + /// receive an `Ok(count)`. + /// + /// An `SslError` return value, is terminal; do not re-attempt your write. + /// + /// As expected of a nonblocking API, this method will never block your + /// thread on I/O. + /// + /// Given a return value of `Ok(count)`, count is the number of plaintext bytes + /// from the `buf` slice that were encrypted and written onto the stream. + pub fn write(&mut self, buf: &[u8]) -> Result { + let ret = self.ssl.write(buf); + if ret > 0 { + Ok(ret as usize) + } else { + Err(self.make_error(ret)) + } + } +} diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 033a3b86..8335bc53 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -819,3 +819,135 @@ fn test_sslv2_connect_failure() { let (_s, tcp) = Server::new_tcp(&["-no_ssl2", "-www"]); SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(), tcp).err().unwrap(); } + +#[cfg(target_os = "linux")] +mod nonblocking_tests { + extern crate nix; + + use std::io::Write; + use std::net::TcpStream; + use std::os::unix::io::AsRawFd; + + use super::Server; + use self::nix::sys::epoll; + use self::nix::fcntl; + use ssl; + use ssl::error::NonblockingSslError; + use ssl::SslMethod; + use ssl::SslMethod::Sslv23; + use ssl::{SslContext, NonblockingSslStream}; + + fn wait_io(stream: &NonblockingSslStream, read: bool, timeout_ms: isize) -> bool { + let fd = stream.as_raw_fd(); + let ep = epoll::epoll_create().unwrap(); + let event = if read { + epoll::EpollEvent { + events: epoll::EPOLLIN | epoll::EPOLLERR, + data: 0, + } + } else { + epoll::EpollEvent { + events: epoll::EPOLLOUT, + data: 0, + } + }; + epoll::epoll_ctl(ep, epoll::EpollOp::EpollCtlAdd, fd, &event).unwrap(); + let mut events = [event]; + let count = epoll::epoll_wait(ep, &mut events, timeout_ms).unwrap(); + epoll::epoll_ctl(ep, epoll::EpollOp::EpollCtlDel, fd, &event).unwrap(); + assert!(count <= 1); + count == 1 + } + + fn make_nonblocking(stream: &TcpStream) { + let fd = stream.as_raw_fd(); + fcntl::fcntl(fd, fcntl::FcntlArg::F_SETFL(fcntl::O_NONBLOCK)).unwrap(); + } + + #[test] + fn test_write_nonblocking() { + let (_s, stream) = Server::new(); + make_nonblocking(&stream); + let mut stream = NonblockingSslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + + let mut iterations = 0; + loop { + iterations += 1; + if iterations > 7 { + // Probably a safe assumption for the foreseeable future of openssl. + panic!("Too many read/write round trips in handshake!!"); + } + let result = stream.write("hello".as_bytes()); + match result { + Ok(_) => { + break; + }, + Err(NonblockingSslError::WantRead) => { + assert!(wait_io(&stream, true, 1000)); + }, + Err(NonblockingSslError::WantWrite) => { + assert!(wait_io(&stream, false, 1000)); + }, + Err(other) => { + panic!("Unexpected SSL Error: {:?}", other); + }, + } + } + + // Second write should succeed immediately--plenty of space in kernel buffer, + // and handshake just completed. + stream.write(" there".as_bytes()).unwrap(); + } + + #[test] + fn test_read_nonblocking() { + let (_s, stream) = Server::new(); + make_nonblocking(&stream); + let mut stream = NonblockingSslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + + let mut iterations = 0; + loop { + iterations += 1; + if iterations > 7 { + // Probably a safe assumption for the foreseeable future of openssl. + panic!("Too many read/write round trips in handshake!!"); + } + let result = stream.write("GET /\r\n\r\n".as_bytes()); + match result { + Ok(n) => { + assert_eq!(n, 9); + break; + }, + Err(NonblockingSslError::WantRead) => { + assert!(wait_io(&stream, true, 1000)); + }, + Err(NonblockingSslError::WantWrite) => { + assert!(wait_io(&stream, false, 1000)); + }, + Err(other) => { + panic!("Unexpected SSL Error: {:?}", other); + }, + } + } + let mut input_buffer = [0u8; 1500]; + let result = stream.read(&mut input_buffer); + let bytes_read = match result { + Ok(n) => { + // This branch is unlikely, but on an overloaded VM with + // unlucky context switching, the response could actually + // be in the receive buffer before we issue the read() syscall... + n + }, + Err(NonblockingSslError::WantRead) => { + assert!(wait_io(&stream, true, 3000)); + // Second read should return application data. + stream.read(&mut input_buffer).unwrap() + }, + Err(other) => { + panic!("Unexpected SSL Error: {:?}", other); + }, + }; + assert!(bytes_read >= 5); + assert_eq!(&input_buffer[..5], b"HTTP/"); + } +} From c895b9f09f25410b6e0046d71d42439f7a56c1be Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Tue, 22 Sep 2015 21:34:12 -0700 Subject: [PATCH 03/29] Get nonblocking tests working on OSX/Windows --- openssl/Cargo.toml | 3 +- openssl/src/ssl/{tests.rs => tests/mod.rs} | 230 ++++++++++----------- openssl/src/ssl/tests/select.rs | 87 ++++++++ 3 files changed, 194 insertions(+), 126 deletions(-) rename openssl/src/ssl/{tests.rs => tests/mod.rs} (86%) create mode 100644 openssl/src/ssl/tests/select.rs diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index cd9f97c3..23949259 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -33,5 +33,4 @@ libc = "0.1" [dev-dependencies] rustc-serialize = "0.3" -net2 = "0.2.13" -nix = "0.4" +net2 = "0.2.16" diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests/mod.rs similarity index 86% rename from openssl/src/ssl/tests.rs rename to openssl/src/ssl/tests/mod.rs index 8335bc53..e34c633f 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -4,17 +4,21 @@ use std::fs::File; use std::io::prelude::*; use std::io::{self, BufReader}; use std::iter; +use std::mem; use std::net::{TcpStream, TcpListener, SocketAddr}; use std::path::Path; use std::process::{Command, Child, Stdio, ChildStdin}; use std::thread; +use net2::TcpStreamExt; + use crypto::hash::Type::{SHA256}; use ssl; -use ssl::SslMethod; -use ssl::SslMethod::Sslv23; -use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; +use ssl::SslMethod::Sslv23; +use ssl::SslMethod; +use ssl::error::NonblockingSslError; +use ssl::{SslContext, SslStream, VerifyCallback, NonblockingSslStream}; use x509::X509StoreContext; use x509::X509FileType; use x509::X509; @@ -29,6 +33,8 @@ use ssl::SslMethod::Sslv2; #[cfg(feature="dtlsv1")] use net2::UdpSocketExt; +mod select; + fn next_addr() -> SocketAddr { use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering}; static PORT: AtomicUsize = ATOMIC_USIZE_INIT; @@ -331,7 +337,8 @@ run_test!(verify_trusted_get_error_err, |method, stream| { }); run_test!(verify_callback_data, |method, stream| { - fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec) -> bool { + fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, + node_id: &Vec) -> bool { let cert = x509_ctx.get_current_cert(); match cert { None => false, @@ -808,7 +815,8 @@ mod dtlsv1 { fn test_read_dtlsv1() { let (_s, stream) = Server::new_dtlsv1(Some("hello")); - let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); + let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), + stream).unwrap(); let mut buf = [0u8;100]; assert!(stream.read(&mut buf).is_ok()); } @@ -817,137 +825,111 @@ fn test_read_dtlsv1() { #[cfg(feature = "sslv2")] fn test_sslv2_connect_failure() { let (_s, tcp) = Server::new_tcp(&["-no_ssl2", "-www"]); - SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(), tcp).err().unwrap(); + SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(), + tcp).err().unwrap(); } -#[cfg(target_os = "linux")] -mod nonblocking_tests { - extern crate nix; +fn wait_io(stream: &NonblockingSslStream, + read: bool, + timeout_ms: u32) -> bool { + unsafe { + let mut set: select::fd_set = mem::zeroed(); + select::fd_set(&mut set, stream.get_ref()); - use std::io::Write; - use std::net::TcpStream; - use std::os::unix::io::AsRawFd; - - use super::Server; - use self::nix::sys::epoll; - use self::nix::fcntl; - use ssl; - use ssl::error::NonblockingSslError; - use ssl::SslMethod; - use ssl::SslMethod::Sslv23; - use ssl::{SslContext, NonblockingSslStream}; - - fn wait_io(stream: &NonblockingSslStream, read: bool, timeout_ms: isize) -> bool { - let fd = stream.as_raw_fd(); - let ep = epoll::epoll_create().unwrap(); - let event = if read { - epoll::EpollEvent { - events: epoll::EPOLLIN | epoll::EPOLLERR, - data: 0, - } - } else { - epoll::EpollEvent { - events: epoll::EPOLLOUT, - data: 0, - } - }; - epoll::epoll_ctl(ep, epoll::EpollOp::EpollCtlAdd, fd, &event).unwrap(); - let mut events = [event]; - let count = epoll::epoll_wait(ep, &mut events, timeout_ms).unwrap(); - epoll::epoll_ctl(ep, epoll::EpollOp::EpollCtlDel, fd, &event).unwrap(); - assert!(count <= 1); - count == 1 + let write = if read {0 as *mut _} else {&mut set as *mut _}; + let read = if !read {0 as *mut _} else {&mut set as *mut _}; + select::select(stream.get_ref(), read, write, 0 as *mut _, timeout_ms) + .unwrap() } +} - fn make_nonblocking(stream: &TcpStream) { - let fd = stream.as_raw_fd(); - fcntl::fcntl(fd, fcntl::FcntlArg::F_SETFL(fcntl::O_NONBLOCK)).unwrap(); - } +#[test] +fn test_write_nonblocking() { + let (_s, stream) = Server::new(); + stream.set_nonblocking(true).unwrap(); + let cx = SslContext::new(Sslv23).unwrap(); + let mut stream = NonblockingSslStream::connect(&cx, stream).unwrap(); - #[test] - fn test_write_nonblocking() { - let (_s, stream) = Server::new(); - make_nonblocking(&stream); - let mut stream = NonblockingSslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); - - let mut iterations = 0; - loop { - iterations += 1; - if iterations > 7 { - // Probably a safe assumption for the foreseeable future of openssl. - panic!("Too many read/write round trips in handshake!!"); - } - let result = stream.write("hello".as_bytes()); - match result { - Ok(_) => { - break; - }, - Err(NonblockingSslError::WantRead) => { - assert!(wait_io(&stream, true, 1000)); - }, - Err(NonblockingSslError::WantWrite) => { - assert!(wait_io(&stream, false, 1000)); - }, - Err(other) => { - panic!("Unexpected SSL Error: {:?}", other); - }, - } + let mut iterations = 0; + loop { + iterations += 1; + if iterations > 7 { + // Probably a safe assumption for the foreseeable future of + // openssl. + panic!("Too many read/write round trips in handshake!!"); } - - // Second write should succeed immediately--plenty of space in kernel buffer, - // and handshake just completed. - stream.write(" there".as_bytes()).unwrap(); - } - - #[test] - fn test_read_nonblocking() { - let (_s, stream) = Server::new(); - make_nonblocking(&stream); - let mut stream = NonblockingSslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); - - let mut iterations = 0; - loop { - iterations += 1; - if iterations > 7 { - // Probably a safe assumption for the foreseeable future of openssl. - panic!("Too many read/write round trips in handshake!!"); - } - let result = stream.write("GET /\r\n\r\n".as_bytes()); - match result { - Ok(n) => { - assert_eq!(n, 9); - break; - }, - Err(NonblockingSslError::WantRead) => { - assert!(wait_io(&stream, true, 1000)); - }, - Err(NonblockingSslError::WantWrite) => { - assert!(wait_io(&stream, false, 1000)); - }, - Err(other) => { - panic!("Unexpected SSL Error: {:?}", other); - }, - } - } - let mut input_buffer = [0u8; 1500]; - let result = stream.read(&mut input_buffer); - let bytes_read = match result { - Ok(n) => { - // This branch is unlikely, but on an overloaded VM with - // unlucky context switching, the response could actually - // be in the receive buffer before we issue the read() syscall... - n + let result = stream.write(b"hello"); + match result { + Ok(_) => { + break; }, Err(NonblockingSslError::WantRead) => { - assert!(wait_io(&stream, true, 3000)); - // Second read should return application data. - stream.read(&mut input_buffer).unwrap() + assert!(wait_io(&stream, true, 1000)); + }, + Err(NonblockingSslError::WantWrite) => { + assert!(wait_io(&stream, false, 1000)); }, Err(other) => { panic!("Unexpected SSL Error: {:?}", other); }, - }; - assert!(bytes_read >= 5); - assert_eq!(&input_buffer[..5], b"HTTP/"); + } } + + // Second write should succeed immediately--plenty of space in kernel + // buffer, and handshake just completed. + stream.write(" there".as_bytes()).unwrap(); +} + +#[test] +fn test_read_nonblocking() { + let (_s, stream) = Server::new(); + stream.set_nonblocking(true).unwrap(); + let cx = SslContext::new(Sslv23).unwrap(); + let mut stream = NonblockingSslStream::connect(&cx, stream).unwrap(); + + let mut iterations = 0; + loop { + iterations += 1; + if iterations > 7 { + // Probably a safe assumption for the foreseeable future of + // openssl. + panic!("Too many read/write round trips in handshake!!"); + } + let result = stream.write(b"GET /\r\n\r\n"); + match result { + Ok(n) => { + assert_eq!(n, 9); + break; + }, + Err(NonblockingSslError::WantRead) => { + assert!(wait_io(&stream, true, 1000)); + }, + Err(NonblockingSslError::WantWrite) => { + assert!(wait_io(&stream, false, 1000)); + }, + Err(other) => { + panic!("Unexpected SSL Error: {:?}", other); + }, + } + } + let mut input_buffer = [0u8; 1500]; + let result = stream.read(&mut input_buffer); + let bytes_read = match result { + Ok(n) => { + // This branch is unlikely, but on an overloaded VM with + // unlucky context switching, the response could actually + // be in the receive buffer before we issue the read() syscall... + n + }, + Err(NonblockingSslError::WantRead) => { + assert!(wait_io(&stream, true, 3000)); + // Second read should return application data. + stream.read(&mut input_buffer).unwrap() + }, + Err(other) => { + panic!("Unexpected SSL Error: {:?}", other); + }, + }; + assert!(bytes_read >= 5); + assert_eq!(&input_buffer[..5], b"HTTP/"); } diff --git a/openssl/src/ssl/tests/select.rs b/openssl/src/ssl/tests/select.rs new file mode 100644 index 00000000..fcdf4004 --- /dev/null +++ b/openssl/src/ssl/tests/select.rs @@ -0,0 +1,87 @@ +use libc; +pub use self::imp::*; + +extern "system" { + #[link_name = "select"] + fn raw_select(nfds: libc::c_int, + readfds: *mut fd_set, + writefds: *mut fd_set, + errorfds: *mut fd_set, + timeout: *mut libc::timeval) -> libc::c_int; +} + +#[cfg(unix)] +mod imp { + use std::os::unix::prelude::*; + use std::io; + use libc; + + const FD_SETSIZE: usize = 1024; + + #[repr(C)] + pub struct fd_set { + fds_bits: [u64; FD_SETSIZE / 64] + } + + pub fn fd_set(set: &mut fd_set, f: &F) { + let fd = f.as_raw_fd() as usize; + set.fds_bits[fd / 64] |= 1 << (fd % 64); + } + + pub unsafe fn select(max: &F, + read: *mut fd_set, + write: *mut fd_set, + error: *mut fd_set, + timeout_ms: u32) + -> io::Result { + let mut timeout = libc::timeval { + tv_sec: (timeout_ms / 1000) as libc::time_t, + tv_usec: (timeout_ms % 1000 * 1000) as libc::suseconds_t, + }; + let rc = super::raw_select(max.as_raw_fd() + 1, read, write, error, + &mut timeout); + if rc < 0 { + Err(io::Error::last_os_error()) + } else { + Ok(rc != 0) + } + } +} + +#[cfg(windows)] +mod imp { + use std::os::windows::prelude::*; + use std::io; + use libc::{SOCKET, c_uint, c_long, timeval}; + + const FD_SETSIZE: usize = 64; + + #[repr(C)] + pub struct fd_set { + fd_count: c_uint, + fd_array: [SOCKET; FD_SETSIZE], + } + + pub fn fd_set(set: &mut fd_set, f: &F) { + set.fd_array[set.fd_count as usize] = f.as_raw_socket(); + set.fd_count += 1; + } + + pub unsafe fn select(_max: &F, + read: *mut fd_set, + write: *mut fd_set, + error: *mut fd_set, + timeout_ms: u32) + -> io::Result { + let mut timeout = timeval { + tv_sec: (timeout_ms / 1000) as c_long, + tv_usec: (timeout_ms % 1000 * 1000) as c_long, + }; + let rc = super::raw_select(1, read, write, error, &mut timeout); + if rc < 0 { + Err(io::Error::last_os_error()) + } else { + Ok(rc != 0) + } + } +} From 613a9ff7216630bb80d2b905933883155dda6db7 Mon Sep 17 00:00:00 2001 From: Peter Atashian Date: Sun, 25 Oct 2015 05:11:23 -0400 Subject: [PATCH 04/29] Explicitly depend on gdi32 and user32 on Windows Since openssl ends up depending on functions from these system libraries, depend on -sys crates that provide these system libraries. --- openssl-sys/Cargo.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 045e15eb..1e32f87c 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -39,3 +39,15 @@ libressl-pnacl-sys = "2.1.0" libressl-pnacl-sys = "2.1.0" [target.arm-unknown-nacl.dependencies] libressl-pnacl-sys = "2.1.0" +[target.i686-pc-windows-gnu] +user32-sys = "*" +gdi32-sys = "*" +[target.x86_64-pc-windows-gnu] +user32-sys = "*" +gdi32-sys = "*" +[target.i686-pc-windows-msvc] +user32-sys = "*" +gdi32-sys = "*" +[target.x86_64-pc-windows-msvc] +user32-sys = "*" +gdi32-sys = "*" From 1e7ff1d8a8742a1f015ea5b336297c689a5d4810 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 26 Oct 2015 21:43:52 -0700 Subject: [PATCH 05/29] Better debug impls --- openssl/src/ssl/mod.rs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 62080056..a01e1d29 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -698,10 +698,11 @@ pub struct Ssl { unsafe impl Send for Ssl {} unsafe impl Sync for Ssl {} -// TODO: put useful information here impl fmt::Debug for Ssl { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { - write!(fmt, "Ssl") + fmt.debug_struct("Ssl") + .field("state", &self.get_state_string_long()) + .finish() } } @@ -1179,7 +1180,10 @@ impl SslStream { impl fmt::Debug for SslStream where S: fmt::Debug { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { - write!(fmt, "SslStream {{ stream: {:?}, ssl: {:?} }}", self.kind.stream(), self.kind.ssl()) + fmt.debug_struct("SslStream") + .field("stream", &self.kind.stream()) + .field("ssl", &self.kind.ssl()) + .finish() } } From 11e3b1b56317ca1e24cfc1c0a3805123fa73bfb8 Mon Sep 17 00:00:00 2001 From: Thom May Date: Wed, 28 Oct 2015 16:40:05 +0000 Subject: [PATCH 06/29] Provide public_decrypt, private_encrypt for PKEY --- openssl-sys/src/lib.rs | 4 ++ openssl/src/crypto/pkey.rs | 133 ++++++++++++++++++++++++++++++++----- 2 files changed, 122 insertions(+), 15 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 96da64f3..2aa36a89 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -516,6 +516,10 @@ extern "C" { pub fn RSA_generate_key_ex(rsa: *mut RSA, bits: c_int, e: *mut BIGNUM, cb: *const c_void) -> c_int; pub fn RSA_private_decrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, pad: c_int) -> c_int; + pub fn RSA_public_decrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, + pad: c_int) -> c_int; + pub fn RSA_private_encrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, + pad: c_int) -> c_int; pub fn RSA_public_encrypt(flen: c_int, from: *const u8, to: *mut u8, k: *mut RSA, pad: c_int) -> c_int; pub fn RSA_sign(t: c_int, m: *const u8, mlen: c_uint, sig: *mut u8, siglen: *mut c_uint, diff --git a/openssl/src/crypto/pkey.rs b/openssl/src/crypto/pkey.rs index 695bd8a6..6ca0aa12 100644 --- a/openssl/src/crypto/pkey.rs +++ b/openssl/src/crypto/pkey.rs @@ -276,7 +276,36 @@ impl PKey { } } - pub fn encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { + pub fn private_encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { + unsafe { + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + if rsa.is_null() { + panic!("Could not get RSA key for encryption"); + } + let len = ffi::RSA_size(rsa); + + assert!(s.len() < self.max_data()); + + let mut r = repeat(0u8).take(len as usize + 1).collect::>(); + + let rv = ffi::RSA_private_encrypt( + s.len() as c_int, + s.as_ptr(), + r.as_mut_ptr(), + rsa, + openssl_padding_code(padding)); + + if rv < 0 as c_int { + // println!("{:?}", SslError::get()); + vec!() + } else { + r.truncate(rv as usize); + r + } + } + } + + pub fn public_encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { unsafe { let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); if rsa.is_null() { @@ -304,7 +333,7 @@ impl PKey { } } - pub fn decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { + pub fn private_decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { unsafe { let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); if rsa.is_null() { @@ -332,16 +361,78 @@ impl PKey { } } - /** - * Encrypts data using OAEP padding, returning the encrypted data. The - * supplied data must not be larger than max_data(). - */ - pub fn encrypt(&self, s: &[u8]) -> Vec { self.encrypt_with_padding(s, EncryptionPadding::OAEP) } + pub fn public_decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { + unsafe { + let rsa = ffi::EVP_PKEY_get1_RSA(self.evp); + if rsa.is_null() { + panic!("Could not get RSA key for decryption"); + } + let len = ffi::RSA_size(rsa); + + assert_eq!(s.len() as c_int, ffi::RSA_size(rsa)); + + let mut r = repeat(0u8).take(len as usize + 1).collect::>(); + + let rv = ffi::RSA_public_decrypt( + s.len() as c_int, + s.as_ptr(), + r.as_mut_ptr(), + rsa, + openssl_padding_code(padding)); + + if rv < 0 as c_int { + vec!() + } else { + r.truncate(rv as usize); + r + } + } + } /** - * Decrypts data, expecting OAEP padding, returning the decrypted data. + * Encrypts data with the public key, using OAEP padding, returning the encrypted data. The + * supplied data must not be larger than max_data(). */ - pub fn decrypt(&self, s: &[u8]) -> Vec { self.decrypt_with_padding(s, EncryptionPadding::OAEP) } + pub fn encrypt(&self, s: &[u8]) -> Vec { self.public_encrypt_with_padding(s, EncryptionPadding::OAEP) } + + /** + * Encrypts data with the public key, using provided padding, returning the encrypted data. The + * supplied data must not be larger than max_data(). + */ + pub fn encrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { self.public_encrypt_with_padding(s, padding) } + + /** + * Encrypts data with the public key, using OAEP padding, returning the encrypted data. The + * supplied data must not be larger than max_data(). + */ + pub fn public_encrypt(&self, s: &[u8]) -> Vec { self.public_encrypt_with_padding(s, EncryptionPadding::OAEP) } + + /** + * Decrypts data with the public key, using PKCS1v15 padding, returning the decrypted data. + */ + pub fn public_decrypt(&self, s: &[u8]) -> Vec { self.public_decrypt_with_padding(s, EncryptionPadding::PKCS1v15) } + + /** + * Decrypts data with the private key, expecting OAEP padding, returning the decrypted data. + */ + pub fn decrypt(&self, s: &[u8]) -> Vec { self.private_decrypt_with_padding(s, EncryptionPadding::OAEP) } + + /** + * Decrypts data with the private key, using provided padding, returning the encrypted data. The + * supplied data must not be larger than max_data(). + */ + pub fn decrypt_with_padding(&self, s: &[u8], padding: EncryptionPadding) -> Vec { self.private_decrypt_with_padding(s, padding) } + + /** + * Decrypts data with the private key, expecting OAEP padding, returning the decrypted data. + */ + pub fn private_decrypt(&self, s: &[u8]) -> Vec { self.private_decrypt_with_padding(s, EncryptionPadding::OAEP) } + + /** + * Encrypts data with the private key, using PKCS1v15 padding, returning the encrypted data. The + * supplied data must not be larger than max_data(). + */ + pub fn private_encrypt(&self, s: &[u8]) -> Vec { self.private_encrypt_with_padding(s, EncryptionPadding::PKCS1v15) } /** * Signs data, using OpenSSL's default scheme and adding sha256 ASN.1 information to the @@ -493,26 +584,38 @@ mod tests { } #[test] - fn test_encrypt() { + fn test_private_encrypt() { let mut k0 = super::PKey::new(); let mut k1 = super::PKey::new(); let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8); k0.gen(512); k1.load_pub(&k0.save_pub()); - let emsg = k1.encrypt(&msg); - let dmsg = k0.decrypt(&emsg); + let emsg = k0.private_encrypt(&msg); + let dmsg = k1.public_decrypt(&emsg); assert!(msg == dmsg); } #[test] - fn test_encrypt_pkcs() { + fn test_public_encrypt() { let mut k0 = super::PKey::new(); let mut k1 = super::PKey::new(); let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8); k0.gen(512); k1.load_pub(&k0.save_pub()); - let emsg = k1.encrypt_with_padding(&msg, super::EncryptionPadding::PKCS1v15); - let dmsg = k0.decrypt_with_padding(&emsg, super::EncryptionPadding::PKCS1v15); + let emsg = k1.public_encrypt(&msg); + let dmsg = k0.private_decrypt(&emsg); + assert!(msg == dmsg); + } + + #[test] + fn test_public_encrypt_pkcs() { + let mut k0 = super::PKey::new(); + let mut k1 = super::PKey::new(); + let msg = vec!(0xdeu8, 0xadu8, 0xd0u8, 0x0du8); + k0.gen(512); + k1.load_pub(&k0.save_pub()); + let emsg = k1.public_encrypt_with_padding(&msg, super::EncryptionPadding::PKCS1v15); + let dmsg = k0.private_decrypt_with_padding(&emsg, super::EncryptionPadding::PKCS1v15); assert!(msg == dmsg); } From 776852ff2bfe01ea22abe7f2ca5d086e713c6fd1 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Nov 2015 23:16:42 -0800 Subject: [PATCH 07/29] Travis without sudo --- .travis.yml | 5 +++-- openssl/test/build.sh | 5 ++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8ee8c929..51a471c4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ language: rust +sudo: false rust: - nightly - beta @@ -13,5 +14,5 @@ before_install: - (test $TRAVIS_OS_NAME == "osx" || ./openssl/test/build.sh) script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=/usr/lib OPENSSL_INCLUDE_DIR=/usr/include LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=/usr/lib OPENSSL_INCLUDE_DIR=/usr/include LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES")) diff --git a/openssl/test/build.sh b/openssl/test/build.sh index db517ab3..1b923cb1 100755 --- a/openssl/test/build.sh +++ b/openssl/test/build.sh @@ -3,8 +3,7 @@ set -e mkdir /tmp/openssl cd /tmp/openssl -sudo apt-get install gcc make curl https://openssl.org/source/openssl-1.0.2d.tar.gz | tar --strip-components=1 -xzf - -./config --prefix=/usr/ shared +./config --prefix=$HOME/openssl shared make -sudo make install +make install From 444e0819416c77deecff3ddef138ebe6ee1d09b1 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Nov 2015 23:25:57 -0800 Subject: [PATCH 08/29] Test with one thread to debug timeouts --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 51a471c4..ae7d67d9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,4 +15,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 cargo test --features "$FEATURES")) From 5f5805dd90fe54db20a116a4970e7235da2f2b53 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Nov 2015 23:32:06 -0800 Subject: [PATCH 09/29] Moar debuggign --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ae7d67d9..c5391ca3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,4 +15,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 LD_DEBUG=libs cargo test --features "$FEATURES")) From 5eb32e0351ea98d064b173277e18f0d7a520f245 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Nov 2015 23:46:20 -0800 Subject: [PATCH 10/29] RUn tests through strace --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c5391ca3..f06f108d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,4 +15,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 LD_DEBUG=libs cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 strace -f cargo test --features "$FEATURES")) From c5d188efeeeb858ed4a4e7f5f1d7691f4cabeaea Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 8 Nov 2015 23:52:41 -0800 Subject: [PATCH 11/29] Install strace --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index f06f108d..db77bc73 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,9 @@ language: rust sudo: false +addons: + apt: + packages: + - strace rust: - nightly - beta From 7cd551ad7bbced97c0f3c2fad28aab138fff4407 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 00:01:45 -0800 Subject: [PATCH 12/29] fuuu --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index db77bc73..d22a46d6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,4 +19,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH RUST_TEST_THREADS=1 strace -f cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test --no-run --features "$FEATURES" && LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH strace -f $(find target/debug -maxdepth 1 -name "openssl-*") multiple_matching)) From 3fc223f17c1bad6df87f3e5346e337fb243eaeb1 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 00:09:58 -0800 Subject: [PATCH 13/29] Fix path for travis buidl --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d22a46d6..89af3937 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,4 +19,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test --no-run --features "$FEATURES" && LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH strace -f $(find target/debug -maxdepth 1 -name "openssl-*") multiple_matching)) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test --features "$FEATURES") From d3dbdc158ef7893893019c71be510355bd8449fa Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 00:12:49 -0800 Subject: [PATCH 14/29] Stop adding strace --- .travis.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 89af3937..70580e1c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,9 +1,5 @@ language: rust sudo: false -addons: - apt: - packages: - - strace rust: - nightly - beta From b62ae0761fbf6709f673a30e96262ff9088ad88a Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 00:17:17 -0800 Subject: [PATCH 15/29] Fix syntax --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 70580e1c..c52d014b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,4 +15,4 @@ before_install: script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test --features "$FEATURES") +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test --features "$FEATURES")) From b0cb0f7c40ad58fab493c7a40af1f0dcf4864d71 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 16 Jun 2015 21:56:44 -0700 Subject: [PATCH 16/29] Revert "Use AsRef for backwards compatibility with passing IV as Vec" This reverts commit d2d20a83778b7c363322997332bf1ff5deef92d5. --- openssl/src/crypto/symm.rs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/openssl/src/crypto/symm.rs b/openssl/src/crypto/symm.rs index db8aa54e..bc4b65b5 100644 --- a/openssl/src/crypto/symm.rs +++ b/openssl/src/crypto/symm.rs @@ -1,5 +1,4 @@ use std::iter::repeat; -use std::convert::AsRef; use libc::{c_int}; use crypto::symm_internal::evpc; @@ -75,7 +74,7 @@ impl Crypter { /** * Initializes this crypter. */ - pub fn init>(&self, mode: Mode, key: &[u8], iv: T) { + pub fn init(&self, mode: Mode, key: &[u8], iv: &[u8]) { unsafe { let mode = match mode { Mode::Encrypt => 1 as c_int, @@ -87,7 +86,7 @@ impl Crypter { self.ctx, self.evp, key.as_ptr(), - iv.as_ref().as_ptr(), + iv.as_ptr(), mode ); } @@ -146,7 +145,7 @@ impl Drop for Crypter { * Encrypts data, using the specified crypter type in encrypt mode with the * specified key and iv; returns the resulting (encrypted) data. */ -pub fn encrypt>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec { +pub fn encrypt(t: Type, key: &[u8], iv: &[u8], data: &[u8]) -> Vec { let c = Crypter::new(t); c.init(Mode::Encrypt, key, iv); let mut r = c.update(data); @@ -159,7 +158,7 @@ pub fn encrypt>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec>(t: Type, key: &[u8], iv: T, data: &[u8]) -> Vec { +pub fn decrypt(t: Type, key: &[u8], iv: &[u8], data: &[u8]) -> Vec { let c = Crypter::new(t); c.init(Mode::Decrypt, key, iv); let mut r = c.update(data); From be2cbabdb72850d72deb674d871d0e172309e6aa Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 14 Oct 2015 21:54:00 -0400 Subject: [PATCH 17/29] Revert "Revert "Merge pull request #280 from ltratt/libressl_build"" This reverts commit ae3d0e36d71bb121c2fc1a75b3bc6d97f0e61480. --- openssl-sys/Cargo.toml | 1 + openssl/src/ssl/mod.rs | 3 +++ openssl/src/ssl/tests/mod.rs | 4 ---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 045e15eb..dd2704f5 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -17,6 +17,7 @@ tlsv1_1 = [] dtlsv1 = [] dtlsv1_2 = [] sslv2 = [] +sslv3 = [] aes_xts = [] aes_ctr = [] npn = [] diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index a01e1d29..aacc5edc 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -109,6 +109,7 @@ pub enum SslMethod { /// Support the SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2 protocols depending on what the /// linked OpenSSL library supports. Sslv23, + #[cfg(feature = "sslv3")] /// Only support the SSLv3 protocol. Sslv3, /// Only support the TLSv1 protocol. @@ -132,6 +133,7 @@ impl SslMethod { match *self { #[cfg(feature = "sslv2")] SslMethod::Sslv2 => ffi::SSLv2_method(), + #[cfg(feature = "sslv3")] SslMethod::Sslv3 => ffi::SSLv3_method(), SslMethod::Tlsv1 => ffi::TLSv1_method(), SslMethod::Sslv23 => ffi::SSLv23_method(), @@ -150,6 +152,7 @@ impl SslMethod { match method { #[cfg(feature = "sslv2")] x if x == ffi::SSLv2_method() => Some(SslMethod::Sslv2), + #[cfg(feature = "sslv3")] x if x == ffi::SSLv3_method() => Some(SslMethod::Sslv3), x if x == ffi::TLSv1_method() => Some(SslMethod::Tlsv1), x if x == ffi::SSLv23_method() => Some(SslMethod::Sslv23), diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index e34c633f..233abd91 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -423,10 +423,6 @@ run_test!(set_ctx_options, |method, _| { let mut ctx = SslContext::new(method).unwrap(); let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET); assert!(opts.contains(ssl::SSL_OP_NO_TICKET)); - assert!(!opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); - let more_opts = ctx.set_options(ssl::SSL_OP_CISCO_ANYCONNECT); - assert!(more_opts.contains(ssl::SSL_OP_NO_TICKET)); - assert!(more_opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); }); run_test!(clear_ctx_options, |method, _| { From fae44250f6ffde38fa96d77ab6060fd9777f0bae Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sun, 25 Oct 2015 21:43:09 -0700 Subject: [PATCH 18/29] Fix feature gated sslv3 --- .travis.yml | 2 +- openssl/Cargo.toml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c52d014b..6f5d1ba9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ os: - linux env: global: - - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 aes_xts npn alpn aes_ctr" + - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 sslv3 aes_xts npn alpn aes_ctr" before_install: - (test $TRAVIS_OS_NAME == "osx" || ./openssl/test/build.sh) script: diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 23949259..ca7c8a62 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -15,6 +15,7 @@ tlsv1_1 = ["openssl-sys/tlsv1_1"] dtlsv1 = ["openssl-sys/dtlsv1"] dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] +sslv3 = ["openssl-sys/sslv3"] aes_xts = ["openssl-sys/aes_xts"] aes_ctr = ["openssl-sys/aes_ctr"] npn = ["openssl-sys/npn"] From 124a0858e8d3e85d676a1d6230dd98b3c617812e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 20:10:27 -0800 Subject: [PATCH 19/29] Test all features --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 6f5d1ba9..43ce2ec6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ os: - linux env: global: - - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 sslv3 aes_xts npn alpn aes_ctr" + - FEATURES="tlsv1_2 tlsv1_1 dtlsv1 dtlsv1_2 sslv2 sslv3 aes_xts aes_ctr npn alpn rfc5114 ecdh_auto" before_install: - (test $TRAVIS_OS_NAME == "osx" || ./openssl/test/build.sh) script: From 03e4908c13cf2c5443fcdaf496ee1b7b223bbcf9 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 26 Oct 2015 21:09:30 -0700 Subject: [PATCH 20/29] Move SSL methods to Ssl object, add getter --- openssl/src/ssl/mod.rs | 152 +++++++++++------------------------ openssl/src/ssl/tests/mod.rs | 38 ++++----- 2 files changed, 66 insertions(+), 124 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index aacc5edc..735255e4 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -704,7 +704,7 @@ unsafe impl Sync for Ssl {} impl fmt::Debug for Ssl { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { fmt.debug_struct("Ssl") - .field("state", &self.get_state_string_long()) + .field("state", &self.state_string_long()) .finish() } } @@ -722,24 +722,6 @@ impl Ssl { Ok(ssl) } - pub fn get_state_string(&self) -> &'static str { - let state = unsafe { - let ptr = ffi::SSL_state_string(self.ssl); - CStr::from_ptr(ptr) - }; - - str::from_utf8(state.to_bytes()).unwrap() - } - - pub fn get_state_string_long(&self) -> &'static str { - let state = unsafe { - let ptr = ffi::SSL_state_string_long(self.ssl); - CStr::from_ptr(ptr) - }; - - str::from_utf8(state.to_bytes()).unwrap() - } - fn get_rbio<'a>(&'a self) -> MemBioRef<'a> { unsafe { self.wrap_bio(ffi::SSL_get_rbio(self.ssl)) } } @@ -782,7 +764,25 @@ impl Ssl { } } - /// Set the host name to be used with SNI (Server Name Indication). + pub fn state_string(&self) -> &'static str { + let state = unsafe { + let ptr = ffi::SSL_state_string(self.ssl); + CStr::from_ptr(ptr) + }; + + str::from_utf8(state.to_bytes()).unwrap() + } + + pub fn state_string_long(&self) -> &'static str { + let state = unsafe { + let ptr = ffi::SSL_state_string_long(self.ssl); + CStr::from_ptr(ptr) + }; + + str::from_utf8(state.to_bytes()).unwrap() + } + + /// Sets the host name to be used with SNI (Server Name Indication). pub fn set_hostname(&self, hostname: &str) -> Result<(), SslError> { let cstr = CString::new(hostname).unwrap(); let ret = unsafe { ffi::SSL_set_tlsext_host_name(self.ssl, cstr.as_ptr()) }; @@ -795,7 +795,8 @@ impl Ssl { } } - pub fn get_peer_certificate(&self) -> Option { + /// Returns the certificate of the peer, if present. + pub fn peer_certificate(&self) -> Option { unsafe { let ptr = ffi::SSL_get_peer_certificate(self.ssl); if ptr.is_null() { @@ -813,7 +814,7 @@ impl Ssl { /// /// This method needs the `npn` feature. #[cfg(feature = "npn")] - pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> { + pub fn selected_npn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); let mut len: c_uint = 0; @@ -836,7 +837,7 @@ impl Ssl { /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] - pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { + pub fn selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); let mut len: c_uint = 0; @@ -852,13 +853,32 @@ impl Ssl { } } - /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). + /// Returns the number of bytes remaining in the currently processed TLS + /// record. pub fn pending(&self) -> usize { unsafe { ffi::SSL_pending(self.ssl) as usize } } + /// Returns the compression currently in use. + /// + /// The result will be either None, indicating no compression is in use, or + /// a string with the compression name. + pub fn compression(&self) -> Option { + let ptr = unsafe { ffi::SSL_get_current_compression(self.ssl) }; + if ptr == ptr::null() { + return None; + } + + let meth = unsafe { ffi::SSL_COMP_get_name(ptr) }; + let s = unsafe { + String::from_utf8(CStr::from_ptr(meth).to_bytes().to_vec()).unwrap() + }; + + Some(s) + } + pub fn get_ssl_method(&self) -> Option { unsafe { let method = ffi::SSL_get_ssl_method(self.ssl); @@ -1277,42 +1297,11 @@ impl SslStream { }) } - /// # Deprecated - pub fn new_server(ssl: &SslContext, stream: S) -> Result, SslError> { - SslStream::accept_generic(ssl, stream) - } - - /// # Deprecated - pub fn new_server_from(ssl: Ssl, stream: S) -> Result, SslError> { - SslStream::accept_generic(ssl, stream) - } - - /// # Deprecated - pub fn new_from(ssl: Ssl, stream: S) -> Result, SslError> { - SslStream::connect_generic(ssl, stream) - } - - /// # Deprecated - pub fn new(ctx: &SslContext, stream: S) -> Result, SslError> { - SslStream::connect_generic(ctx, stream) - } - - /// # Deprecated - #[doc(hidden)] - pub fn get_inner(&mut self) -> &mut S { - self.get_mut() - } - /// Returns a reference to the underlying stream. pub fn get_ref(&self) -> &S { self.kind.stream() } - /// Return the certificate of the peer - pub fn get_peer_certificate(&self) -> Option { - self.kind.ssl().get_peer_certificate() - } - /// Returns a mutable reference to the underlying stream. /// /// ## Warning @@ -1323,56 +1312,9 @@ impl SslStream { self.kind.mut_stream() } - /// Get the compression currently in use. The result will be - /// either None, indicating no compression is in use, or a string - /// with the compression name. - pub fn get_compression(&self) -> Option { - let ptr = unsafe { ffi::SSL_get_current_compression(self.kind.ssl().ssl) }; - if ptr == ptr::null() { - return None; - } - - let meth = unsafe { ffi::SSL_COMP_get_name(ptr) }; - let s = unsafe { - String::from_utf8(CStr::from_ptr(meth).to_bytes().to_vec()).unwrap() - }; - - Some(s) - } - - /// Returns the protocol selected by performing Next Protocol Negotiation, if any. - /// - /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client - /// to interpret it. - /// - /// This method needs the `npn` feature. - #[cfg(feature = "npn")] - pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> { - self.kind.ssl().get_selected_npn_protocol() - } - - /// Returns the protocol selected by performing ALPN, if any. - /// - /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client - /// to interpret it. - /// - /// This method needs the `alpn` feature. - #[cfg(feature = "alpn")] - pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { - self.kind.ssl().get_selected_alpn_protocol() - } - - /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). - pub fn pending(&self) -> usize { - self.kind.ssl().pending() - } - - pub fn get_state_string(&self) -> &'static str { - self.kind.ssl().get_state_string() - } - - pub fn get_state_string_long(&self) -> &'static str { - self.kind.ssl().get_state_string_long() + /// Returns the OpenSSL `Ssl` object associated with this stream. + pub fn ssl(&self) -> &Ssl { + self.kind.ssl() } } diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs index 233abd91..025a45a8 100644 --- a/openssl/src/ssl/tests/mod.rs +++ b/openssl/src/ssl/tests/mod.rs @@ -455,7 +455,7 @@ fn test_write_direct() { run_test!(get_peer_certificate, |method, stream| { let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), stream).unwrap(); - let cert = stream.get_peer_certificate().unwrap(); + let cert = stream.ssl().peer_certificate().unwrap(); let fingerprint = cert.fingerprint(SHA256).unwrap(); let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b"; let node_id = node_hash_str.from_hex().unwrap(); @@ -504,14 +504,14 @@ fn test_pending() { let mut buf = [0u8; 16*1024]; stream.read(&mut buf[..1]).unwrap(); - let pending = stream.pending(); + let pending = stream.ssl().pending(); let len = stream.read(&mut buf[1..]).unwrap(); assert_eq!(pending, len); stream.read(&mut buf[..1]).unwrap(); - let pending = stream.pending(); + let pending = stream.ssl().pending(); let len = stream.read(&mut buf[1..]).unwrap(); assert_eq!(pending, len); } @@ -520,8 +520,8 @@ fn test_pending() { fn test_state() { let (_s, tcp) = Server::new(); let stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); - assert_eq!(stream.get_state_string(), "SSLOK "); - assert_eq!(stream.get_state_string_long(), "SSL negotiation finished successfully"); + assert_eq!(stream.ssl().state_string(), "SSLOK "); + assert_eq!(stream.ssl().state_string_long(), "SSL negotiation finished successfully"); } /// Tests that connecting with the client using ALPN, but the server not does not @@ -537,13 +537,13 @@ fn test_connect_with_unilateral_alpn() { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } - let stream = match SslStream::new(&ctx, stream) { + let stream = match SslStream::connect(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // Since the socket to which we connected is not configured to use ALPN, // there should be no selected protocol... - assert!(stream.get_selected_alpn_protocol().is_none()); + assert!(stream.ssl().selected_alpn_protocol().is_none()); } /// Tests that connecting with the client using NPN, but the server not does not @@ -565,7 +565,7 @@ fn test_connect_with_unilateral_npn() { }; // Since the socket to which we connected is not configured to use NPN, // there should be no selected protocol... - assert!(stream.get_selected_npn_protocol().is_none()); + assert!(stream.ssl().selected_npn_protocol().is_none()); } /// Tests that when both the client as well as the server use ALPN and their @@ -581,13 +581,13 @@ fn test_connect_with_alpn_successful_multiple_matching() { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } - let stream = match SslStream::new(&ctx, stream) { + let stream = match SslStream::connect(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The server prefers "http/1.1", so that is chosen, even though the client // would prefer "spdy/3.1" - assert_eq!(b"http/1.1", stream.get_selected_alpn_protocol().unwrap()); + assert_eq!(b"http/1.1", stream.ssl().selected_alpn_protocol().unwrap()); } /// Tests that when both the client as well as the server use NPN and their @@ -609,7 +609,7 @@ fn test_connect_with_npn_successful_multiple_matching() { }; // The server prefers "http/1.1", so that is chosen, even though the client // would prefer "spdy/3.1" - assert_eq!(b"http/1.1", stream.get_selected_npn_protocol().unwrap()); + assert_eq!(b"http/1.1", stream.ssl().selected_npn_protocol().unwrap()); } /// Tests that when both the client as well as the server use ALPN and their @@ -626,13 +626,13 @@ fn test_connect_with_alpn_successful_single_match() { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } - let stream = match SslStream::new(&ctx, stream) { + let stream = match SslStream::connect(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The client now only supports one of the server's protocols, so that one // is used. - assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); + assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap()); } @@ -656,7 +656,7 @@ fn test_connect_with_npn_successful_single_match() { }; // The client now only supports one of the server's protocols, so that one // is used. - assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); + assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap()); } /// Tests that when the `SslStream` is created as a server stream, the protocols @@ -697,7 +697,7 @@ fn test_npn_server_advertise_multiple() { Err(err) => panic!("Expected success, got {:?}", err) }; // SPDY is selected since that's the only thing the client supports. - assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); + assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap()); } /// Tests that when the `SslStream` is created as a server stream, the protocols @@ -733,12 +733,12 @@ fn test_alpn_server_advertise_multiple() { } // Now connect to the socket and make sure the protocol negotiation works... let stream = TcpStream::connect(localhost).unwrap(); - let stream = match SslStream::new(&ctx, stream) { + let stream = match SslStream::connect(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // SPDY is selected since that's the only thing the client supports. - assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); + assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap()); } /// Test that Servers supporting ALPN don't report a protocol when none of their protocols match @@ -774,13 +774,13 @@ fn test_alpn_server_select_none() { } // Now connect to the socket and make sure the protocol negotiation works... let stream = TcpStream::connect(localhost).unwrap(); - let stream = match SslStream::new(&ctx, stream) { + let stream = match SslStream::connect(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // Since the protocols from the server and client don't overlap at all, no protocol is selected - assert_eq!(None, stream.get_selected_alpn_protocol()); + assert_eq!(None, stream.ssl().selected_alpn_protocol()); } From 309b6d9f46c3ae97dfe0e0594e1a098149f0b950 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 20:50:22 -0800 Subject: [PATCH 21/29] Switch to libc 0.2 --- openssl-sys/Cargo.toml | 2 +- openssl/Cargo.toml | 4 ++- openssl/src/ssl/tests/select.rs | 43 +++++++++++---------------------- 3 files changed, 18 insertions(+), 31 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index dd2704f5..365144c1 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -26,7 +26,7 @@ rfc5114 = [] ecdh_auto = [] [dependencies] -libc = "0.1" +libc = "0.2" [build-dependencies] pkg-config = "0.3" diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ca7c8a62..a90b11da 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -30,8 +30,10 @@ version = "0.6.7" [dependencies] bitflags = ">= 0.2, < 0.4" lazy_static = "0.1" -libc = "0.1" +libc = "0.2" [dev-dependencies] rustc-serialize = "0.3" net2 = "0.2.16" +winapi = "0.2" +ws2_32-sys = "0.1" diff --git a/openssl/src/ssl/tests/select.rs b/openssl/src/ssl/tests/select.rs index fcdf4004..abdf9339 100644 --- a/openssl/src/ssl/tests/select.rs +++ b/openssl/src/ssl/tests/select.rs @@ -1,31 +1,18 @@ use libc; pub use self::imp::*; -extern "system" { - #[link_name = "select"] - fn raw_select(nfds: libc::c_int, - readfds: *mut fd_set, - writefds: *mut fd_set, - errorfds: *mut fd_set, - timeout: *mut libc::timeval) -> libc::c_int; -} - #[cfg(unix)] mod imp { use std::os::unix::prelude::*; use std::io; use libc; - const FD_SETSIZE: usize = 1024; - - #[repr(C)] - pub struct fd_set { - fds_bits: [u64; FD_SETSIZE / 64] - } + pub use libc::fd_set; pub fn fd_set(set: &mut fd_set, f: &F) { - let fd = f.as_raw_fd() as usize; - set.fds_bits[fd / 64] |= 1 << (fd % 64); + unsafe { + libc::FD_SET(f.as_raw_fd(), set); + } } pub unsafe fn select(max: &F, @@ -38,8 +25,7 @@ mod imp { tv_sec: (timeout_ms / 1000) as libc::time_t, tv_usec: (timeout_ms % 1000 * 1000) as libc::suseconds_t, }; - let rc = super::raw_select(max.as_raw_fd() + 1, read, write, error, - &mut timeout); + let rc = libc::select(max.as_raw_fd() + 1, read, write, error, &mut timeout); if rc < 0 { Err(io::Error::last_os_error()) } else { @@ -50,17 +36,16 @@ mod imp { #[cfg(windows)] mod imp { + extern crate winapi; + extern crate ws2_32; + use std::os::windows::prelude::*; use std::io; - use libc::{SOCKET, c_uint, c_long, timeval}; + use libc::{c_uint, c_long}; + use self::winapi::SOCKET; + use self::winapi::winsock2; - const FD_SETSIZE: usize = 64; - - #[repr(C)] - pub struct fd_set { - fd_count: c_uint, - fd_array: [SOCKET; FD_SETSIZE], - } + pub use self::winapi::winsock2::fd_set; pub fn fd_set(set: &mut fd_set, f: &F) { set.fd_array[set.fd_count as usize] = f.as_raw_socket(); @@ -73,11 +58,11 @@ mod imp { error: *mut fd_set, timeout_ms: u32) -> io::Result { - let mut timeout = timeval { + let mut timeout = winsock2::timeval { tv_sec: (timeout_ms / 1000) as c_long, tv_usec: (timeout_ms % 1000 * 1000) as c_long, }; - let rc = super::raw_select(1, read, write, error, &mut timeout); + let rc = ws2_32::select(1, read, write, error, &mut timeout); if rc < 0 { Err(io::Error::last_os_error()) } else { From b8dc70728fdf303588bf08319709cb33195ec178 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 9 Nov 2015 22:25:55 -0800 Subject: [PATCH 22/29] Set path for travis test --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 43ce2ec6..8c394415 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,5 +14,5 @@ before_install: - (test $TRAVIS_OS_NAME == "osx" || ./openssl/test/build.sh) script: - (test $TRAVIS_OS_NAME != "osx" || (cd openssl && cargo test)) -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH cargo test)) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && OPENSSL_LIB_DIR=$HOME/openssl/lib OPENSSL_INCLUDE_DIR=$HOME/openssl/include LD_LIBRARY_PATH=$HOME/openssl/lib:$LD_LIBRARY_PATH PATH=$HOME/openssl/bin:$PATH cargo test --features "$FEATURES")) From 8139fadbff0c74b5a93c0257eed268f51d516c68 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 10 Nov 2015 09:58:38 -0800 Subject: [PATCH 23/29] Bump ws2_32-sys version --- openssl/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index a90b11da..2b6c6556 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -36,4 +36,4 @@ libc = "0.2" rustc-serialize = "0.3" net2 = "0.2.16" winapi = "0.2" -ws2_32-sys = "0.1" +ws2_32-sys = "0.2" From a8a10e64ad21fe900dbeef220493cc31cbeda48e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 10 Nov 2015 21:32:19 -0800 Subject: [PATCH 24/29] Split stuff requiring a shim out to a separate crate --- openssl-sys-extras/Cargo.toml | 16 +++ openssl-sys-extras/build.rs | 77 +++++++++++++++ openssl-sys-extras/src/lib.rs | 64 ++++++++++++ .../src/openssl_shim.c | 0 .../src/ssl_options.rs | 0 openssl-sys/Cargo.toml | 1 - openssl-sys/build.rs | 80 +-------------- openssl-sys/src/lib.rs | 99 +++++-------------- openssl/Cargo.toml | 8 +- openssl/src/bio/mod.rs | 5 +- openssl/src/crypto/hmac.rs | 20 ++-- openssl/src/lib.rs | 1 + openssl/src/ssl/mod.rs | 93 ++++++++--------- openssl/src/x509/mod.rs | 3 +- 14 files changed, 249 insertions(+), 218 deletions(-) create mode 100644 openssl-sys-extras/Cargo.toml create mode 100644 openssl-sys-extras/build.rs create mode 100644 openssl-sys-extras/src/lib.rs rename {openssl-sys => openssl-sys-extras}/src/openssl_shim.c (100%) rename {openssl-sys => openssl-sys-extras}/src/ssl_options.rs (100%) diff --git a/openssl-sys-extras/Cargo.toml b/openssl-sys-extras/Cargo.toml new file mode 100644 index 00000000..031b2124 --- /dev/null +++ b/openssl-sys-extras/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "openssl-sys-extras" +version = "0.6.7" +authors = ["Steven Fackler "] +links = "openssl_shim" +build = "build.rs" + +[features] +ecdh_auto = [] + +[dependencies] +libc = "0.2" +openssl-sys = { version = "0.6.7", path = "../openssl-sys" } + +[build-dependencies] +gcc = "0.3" diff --git a/openssl-sys-extras/build.rs b/openssl-sys-extras/build.rs new file mode 100644 index 00000000..e3c695b1 --- /dev/null +++ b/openssl-sys-extras/build.rs @@ -0,0 +1,77 @@ +extern crate gcc; + +use std::env; +use std::path::PathBuf; +use std::fs::File; +use std::io::Write as IoWrite; +use std::fmt::Write; + +fn main() { + let options_shim_file = generate_options_shim(); + let mut config = gcc::Config::new(); + + if let Some(paths) = env::var_os("DEP_OPENSSL_INCLUDE") { + for path in env::split_paths(&paths) { + config.include(PathBuf::from(path)); + } + } + + config.file("src/openssl_shim.c") + .file(options_shim_file) + .compile("libopenssl_shim.a"); +} + +macro_rules! import_options { + ( $( $name:ident $val:expr )* ) => { + &[ $( (stringify!($name),$val), )* ] + }; +} + +fn generate_options_shim() -> PathBuf { + let options: &[(&'static str,u64)]=include!("src/ssl_options.rs"); + let mut shim = String::new(); + writeln!(shim,"#include ").unwrap(); + writeln!(shim,"#include ").unwrap(); + + for &(name,value) in options { + writeln!(shim,"#define RUST_{} UINT64_C({})",name,value).unwrap(); + writeln!(shim,"#ifndef {}",name).unwrap(); + writeln!(shim,"# define {} 0",name).unwrap(); + writeln!(shim,"#endif").unwrap(); + } + + writeln!(shim,"#define COPY_MASK ( \\").unwrap(); + + let mut it=options.iter().peekable(); + while let Some(&(name,_))=it.next() { + let eol=match it.peek() { + Some(_) => " | \\", + None => " )" + }; + writeln!(shim," ((RUST_{0}==(uint64_t)(uint32_t){0})?RUST_{0}:UINT64_C(0)){1}",name,eol).unwrap(); + } + + writeln!(shim,"long rust_openssl_ssl_ctx_options_rust_to_c(uint64_t rustval) {{").unwrap(); + writeln!(shim," long cval=rustval©_MASK;").unwrap(); + for &(name,_) in options { + writeln!(shim," if (rustval&RUST_{0}) cval|={0};",name).unwrap(); + } + writeln!(shim," return cval;").unwrap(); + writeln!(shim,"}}").unwrap(); + + writeln!(shim,"uint64_t rust_openssl_ssl_ctx_options_c_to_rust(long cval) {{").unwrap(); + writeln!(shim," uint64_t rustval=cval©_MASK;").unwrap(); + for &(name,_) in options { + writeln!(shim," if (cval&{0}) rustval|=RUST_{0};",name).unwrap(); + } + writeln!(shim," return rustval;").unwrap(); + writeln!(shim,"}}").unwrap(); + + let out_dir = env::var("OUT_DIR").unwrap(); + let dest_file = PathBuf::from(&out_dir).join("ssl_ctx_options_shim.c"); + let mut f = File::create(&dest_file).unwrap(); + + f.write_all(shim.as_bytes()).unwrap(); + + dest_file +} diff --git a/openssl-sys-extras/src/lib.rs b/openssl-sys-extras/src/lib.rs new file mode 100644 index 00000000..c602c514 --- /dev/null +++ b/openssl-sys-extras/src/lib.rs @@ -0,0 +1,64 @@ +#![allow(non_upper_case_globals, non_snake_case)] + +extern crate openssl_sys; +extern crate libc; + +use libc::{c_int, c_uint, c_long, c_char}; +use openssl_sys::{HMAC_CTX, EVP_MD, ENGINE, SSL_CTX, BIO, X509, stack_st_X509_EXTENSION, SSL, DH}; + +macro_rules! import_options { + ( $( $name:ident $val:expr )* ) => { + $( pub const $name: u64 = $val; )* + }; +} + +include!("ssl_options.rs"); + +pub unsafe fn SSL_CTX_set_options(ssl: *mut SSL_CTX, op: u64) -> u64 { + rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_set_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op))) +} + +pub unsafe fn SSL_CTX_get_options(ssl: *mut SSL_CTX) -> u64 { + rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_get_options_shim(ssl)) +} + +pub unsafe fn SSL_CTX_clear_options(ssl: *mut SSL_CTX, op: u64) -> u64 { + rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_clear_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op))) +} + +extern { + fn rust_openssl_ssl_ctx_options_rust_to_c(rustval: u64) -> c_long; + fn rust_openssl_ssl_ctx_options_c_to_rust(cval: c_long) -> u64; + + // Pre-1.0 versions of these didn't return anything, so the shims bridge that gap + #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Init_ex_shim")] + pub fn HMAC_Init_ex(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int; + #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Final_shim")] + pub fn HMAC_Final(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int; + #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Update_shim")] + pub fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int; + + // These functions are defined in OpenSSL as macros, so we shim them + #[link_name = "BIO_eof_shim"] + pub fn BIO_eof(b: *mut BIO) -> c_int; + #[link_name = "BIO_set_nbio_shim"] + pub fn BIO_set_nbio(b: *mut BIO, enabled: c_long) -> c_long; + #[link_name = "BIO_set_mem_eof_return_shim"] + pub fn BIO_set_mem_eof_return(b: *mut BIO, v: c_int); + pub fn SSL_CTX_set_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long; + pub fn SSL_CTX_get_options_shim(ctx: *mut SSL_CTX) -> c_long; + pub fn SSL_CTX_clear_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long; + #[link_name = "SSL_CTX_add_extra_chain_cert_shim"] + pub fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long; + #[link_name = "SSL_CTX_set_read_ahead_shim"] + pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long; + #[cfg(feature = "ecdh_auto")] + #[link_name = "SSL_CTX_set_ecdh_auto_shim"] + pub fn SSL_CTX_set_ecdh_auto(ssl: *mut SSL_CTX, onoff: c_int) -> c_int; + #[link_name = "SSL_set_tlsext_host_name_shim"] + pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long; + #[link_name = "SSL_CTX_set_tmp_dh_shim"] + pub fn SSL_CTX_set_tmp_dh(s: *mut SSL, dh: *const DH) -> c_long; + #[link_name = "X509_get_extensions_shim"] + pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION; +} diff --git a/openssl-sys/src/openssl_shim.c b/openssl-sys-extras/src/openssl_shim.c similarity index 100% rename from openssl-sys/src/openssl_shim.c rename to openssl-sys-extras/src/openssl_shim.c diff --git a/openssl-sys/src/ssl_options.rs b/openssl-sys-extras/src/ssl_options.rs similarity index 100% rename from openssl-sys/src/ssl_options.rs rename to openssl-sys-extras/src/ssl_options.rs diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 365144c1..6630b1ce 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -23,7 +23,6 @@ aes_ctr = [] npn = [] alpn = [] rfc5114 = [] -ecdh_auto = [] [dependencies] libc = "0.2" diff --git a/openssl-sys/build.rs b/openssl-sys/build.rs index aa47f2de..bd9611c0 100644 --- a/openssl-sys/build.rs +++ b/openssl-sys/build.rs @@ -2,10 +2,6 @@ extern crate pkg_config; extern crate gcc; use std::env; -use std::fmt::Write as FmtWrite; -use std::path::PathBuf; -use std::fs::File; -use std::io::Write; fn main() { let target = env::var("TARGET").unwrap(); @@ -20,7 +16,8 @@ fn main() { // rustc doesn't seem to work with pkg-config's output in mingw64 if !target.contains("windows") { if let Ok(info) = pkg_config::find_library("openssl") { - build_openssl_shim(&info.include_paths); + let paths = env::join_paths(info.include_paths).unwrap(); + println!("cargo:include={}", paths.to_str().unwrap()); return; } } @@ -59,82 +56,9 @@ fn main() { println!("cargo:rustc-link-lib={}={}", mode, lib); } - let mut include_dirs = vec![]; - if let Some(include_dir) = include_dir { println!("cargo:include={}", include_dir); - include_dirs.push(PathBuf::from(&include_dir)); } - - build_openssl_shim(&include_dirs); -} - -macro_rules! import_options { - ( $( $name:ident $val:expr )* ) => { - &[ $( (stringify!($name),$val), )* ] - }; -} - -fn generate_options_shim() -> PathBuf { - let options: &[(&'static str,u64)]=include!("src/ssl_options.rs"); - let mut shim = String::new(); - writeln!(shim,"#include ").unwrap(); - writeln!(shim,"#include ").unwrap(); - - for &(name,value) in options { - writeln!(shim,"#define RUST_{} UINT64_C({})",name,value).unwrap(); - writeln!(shim,"#ifndef {}",name).unwrap(); - writeln!(shim,"# define {} 0",name).unwrap(); - writeln!(shim,"#endif").unwrap(); - } - - writeln!(shim,"#define COPY_MASK ( \\").unwrap(); - - let mut it=options.iter().peekable(); - while let Some(&(name,_))=it.next() { - let eol=match it.peek() { - Some(_) => " | \\", - None => " )" - }; - writeln!(shim," ((RUST_{0}==(uint64_t)(uint32_t){0})?RUST_{0}:UINT64_C(0)){1}",name,eol).unwrap(); - } - - writeln!(shim,"long rust_openssl_ssl_ctx_options_rust_to_c(uint64_t rustval) {{").unwrap(); - writeln!(shim," long cval=rustval©_MASK;").unwrap(); - for &(name,_) in options { - writeln!(shim," if (rustval&RUST_{0}) cval|={0};",name).unwrap(); - } - writeln!(shim," return cval;").unwrap(); - writeln!(shim,"}}").unwrap(); - - writeln!(shim,"uint64_t rust_openssl_ssl_ctx_options_c_to_rust(long cval) {{").unwrap(); - writeln!(shim," uint64_t rustval=cval©_MASK;").unwrap(); - for &(name,_) in options { - writeln!(shim," if (cval&{0}) rustval|=RUST_{0};",name).unwrap(); - } - writeln!(shim," return rustval;").unwrap(); - writeln!(shim,"}}").unwrap(); - - let out_dir = env::var("OUT_DIR").unwrap(); - let dest_file = PathBuf::from(&out_dir).join("ssl_ctx_options_shim.c"); - let mut f = File::create(&dest_file).unwrap(); - - f.write_all(shim.as_bytes()).unwrap(); - - dest_file -} - -fn build_openssl_shim(include_paths: &[PathBuf]) { - let options_shim_file = generate_options_shim(); - let mut config = gcc::Config::new(); - - for path in include_paths { - config.include(path); - } - - config.file("src/openssl_shim.c") - .file(options_shim_file) - .compile("libopenssl_shim.a"); } fn get_mingw_in_path() -> Option> { diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 2aa36a89..e0964d84 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -159,14 +159,6 @@ pub const SSL_TLSEXT_ERR_ALERT_WARNING: c_int = 1; pub const SSL_TLSEXT_ERR_ALERT_FATAL: c_int = 2; pub const SSL_TLSEXT_ERR_NOACK: c_int = 3; -macro_rules! import_options { - ( $( $name:ident $val:expr )* ) => { - $( pub const $name: u64 = $val; )* - }; -} - -include!("ssl_options.rs"); - #[cfg(any(feature = "npn", feature = "alpn"))] pub const OPENSSL_NPN_UNSUPPORTED: c_int = 0; #[cfg(any(feature = "npn", feature = "alpn"))] @@ -238,16 +230,14 @@ pub const X509_V_OK: c_int = 0; static mut MUTEXES: *mut Vec> = 0 as *mut Vec>; static mut GUARDS: *mut Vec>> = 0 as *mut Vec>>; -extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char, +unsafe extern fn locking_function(mode: c_int, n: c_int, _file: *const c_char, _line: c_int) { - unsafe { - let mutex = &(*MUTEXES)[n as usize]; + let mutex = &(*MUTEXES)[n as usize]; - if mode & CRYPTO_LOCK != 0 { - (*GUARDS)[n as usize] = Some(mutex.lock().unwrap()); - } else { - &(*GUARDS)[n as usize].take(); - } + if mode & CRYPTO_LOCK != 0 { + (*GUARDS)[n as usize] = Some(mutex.lock().unwrap()); + } else { + &(*GUARDS)[n as usize].take(); } } @@ -270,29 +260,27 @@ pub fn init() { GUARDS = mem::transmute(guards); CRYPTO_set_locking_callback(locking_function); - rust_openssl_set_id_callback(); + set_id_callback(); } }) } -pub unsafe fn SSL_CTX_set_options(ssl: *mut SSL_CTX, op: u64) -> u64 { - rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_set_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op))) +#[cfg(unix)] +fn set_id_callback() { + unsafe extern "C" fn thread_id() -> c_ulong { + libc::pthread_self() as c_ulong + } + + unsafe { + CRYPTO_set_id_callback(thread_id); + } } -pub unsafe fn SSL_CTX_get_options(ssl: *mut SSL_CTX) -> u64 { - rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_get_options_shim(ssl)) -} - -pub unsafe fn SSL_CTX_clear_options(ssl: *mut SSL_CTX, op: u64) -> u64 { - rust_openssl_ssl_ctx_options_c_to_rust(SSL_CTX_clear_options_shim(ssl, rust_openssl_ssl_ctx_options_rust_to_c(op))) -} +#[cfg(not(unix))] +fn set_id_callback() {} // True functions extern "C" { - fn rust_openssl_ssl_ctx_options_rust_to_c(rustval: u64) -> c_long; - fn rust_openssl_ssl_ctx_options_c_to_rust(cval: c_long) -> u64; - fn rust_openssl_set_id_callback(); - pub fn ASN1_INTEGER_set(dest: *mut ASN1_INTEGER, value: c_long) -> c_int; pub fn ASN1_STRING_type_new(ty: c_int) -> *mut ASN1_STRING; pub fn ASN1_TIME_free(tm: *mut ASN1_TIME); @@ -375,10 +363,11 @@ extern "C" { pub fn BN_bn2hex(a: *mut BIGNUM) -> *const c_char; pub fn CRYPTO_num_locks() -> c_int; - pub fn CRYPTO_set_locking_callback(func: extern "C" fn(mode: c_int, - n: c_int, - file: *const c_char, - line: c_int)); + pub fn CRYPTO_set_locking_callback(func: unsafe extern "C" fn(mode: c_int, + n: c_int, + file: *const c_char, + line: c_int)); + pub fn CRYPTO_set_id_callback(func: unsafe extern "C" fn() -> c_ulong); pub fn CRYPTO_free(buf: *mut c_void); pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void, len: size_t) -> c_int; @@ -467,24 +456,6 @@ extern "C" { pub fn HMAC_CTX_cleanup(ctx: *mut HMAC_CTX); pub fn HMAC_CTX_copy(dst: *mut HMAC_CTX, src: *const HMAC_CTX) -> c_int; - // Pre-1.0 versions of these didn't return anything, so the shims bridge that gap - #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Init_ex_shim")] - pub fn HMAC_Init_ex(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int; - #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Final_shim")] - pub fn HMAC_Final(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int; - #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Update_shim")] - pub fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int; - - /// Deprecated - use the non "_shim" version - #[cfg_attr(target_os = "nacl", link_name = "HMAC_Init_ex")] - pub fn HMAC_Init_ex_shim(ctx: *mut HMAC_CTX, key: *const u8, keylen: c_int, md: *const EVP_MD, imple: *const ENGINE) -> c_int; - /// Deprecated - use the non "_shim" version - #[cfg_attr(target_os = "nacl", link_name = "HMAC_Final")] - pub fn HMAC_Final_shim(ctx: *mut HMAC_CTX, output: *mut u8, len: *mut c_uint) -> c_int; - /// Deprecated - use the non "_shim" version - #[cfg_attr(target_os = "nacl", link_name = "HMAC_Update")] - pub fn HMAC_Update_shim(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int; - pub fn PEM_read_bio_DHparams(bio: *mut BIO, out: *mut *mut DH, callback: Option, user_data: *mut c_void) -> *mut DH; pub fn PEM_read_bio_X509(bio: *mut BIO, out: *mut *mut X509, callback: Option, @@ -678,30 +649,6 @@ extern "C" { pub fn d2i_RSA_PUBKEY(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA; pub fn i2d_RSAPrivateKey(k: *mut RSA, buf: *const *mut u8) -> c_int; pub fn d2i_RSAPrivateKey(k: *const *mut RSA, buf: *const *const u8, len: c_uint) -> *mut RSA; - - // These functions are defined in OpenSSL as macros, so we shim them - #[link_name = "BIO_eof_shim"] - pub fn BIO_eof(b: *mut BIO) -> c_int; - #[link_name = "BIO_set_nbio_shim"] - pub fn BIO_set_nbio(b: *mut BIO, enabled: c_long) -> c_long; - #[link_name = "BIO_set_mem_eof_return_shim"] - pub fn BIO_set_mem_eof_return(b: *mut BIO, v: c_int); - pub fn SSL_CTX_set_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long; - pub fn SSL_CTX_get_options_shim(ctx: *mut SSL_CTX) -> c_long; - pub fn SSL_CTX_clear_options_shim(ctx: *mut SSL_CTX, options: c_long) -> c_long; - #[link_name = "SSL_CTX_add_extra_chain_cert_shim"] - pub fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long; - #[link_name = "SSL_CTX_set_read_ahead_shim"] - pub fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long; - #[cfg(feature = "ecdh_auto")] - #[link_name = "SSL_CTX_set_ecdh_auto_shim"] - pub fn SSL_CTX_set_ecdh_auto(ssl: *mut SSL_CTX, onoff: c_int) -> c_int; - #[link_name = "SSL_set_tlsext_host_name_shim"] - pub fn SSL_set_tlsext_host_name(s: *mut SSL, name: *const c_char) -> c_long; - #[link_name = "SSL_CTX_set_tmp_dh_shim"] - pub fn SSL_CTX_set_tmp_dh(s: *mut SSL, dh: *const DH) -> c_long; - #[link_name = "X509_get_extensions_shim"] - pub fn X509_get_extensions(x: *mut X509) -> *mut stack_st_X509_EXTENSION; } pub mod probe; diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 2b6c6556..2469fe40 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -21,16 +21,14 @@ aes_ctr = ["openssl-sys/aes_ctr"] npn = ["openssl-sys/npn"] alpn = ["openssl-sys/alpn"] rfc5114 = ["openssl-sys/rfc5114"] -ecdh_auto = ["openssl-sys/ecdh_auto"] - -[dependencies.openssl-sys] -path = "../openssl-sys" -version = "0.6.7" +ecdh_auto = ["openssl-sys-extras/ecdh_auto"] [dependencies] bitflags = ">= 0.2, < 0.4" lazy_static = "0.1" libc = "0.2" +openssl-sys = { version = "0.6.7", path = "../openssl-sys" } +openssl-sys-extras = { version = "0.6.7", path = "../openssl-sys-extras" } [dev-dependencies] rustc-serialize = "0.3" diff --git a/openssl/src/bio/mod.rs b/openssl/src/bio/mod.rs index 7eea16d8..a0c4b533 100644 --- a/openssl/src/bio/mod.rs +++ b/openssl/src/bio/mod.rs @@ -5,6 +5,7 @@ use std::ptr; use std::cmp; use ffi; +use ffi_extras; use ssl::error::{SslError}; pub struct MemBio { @@ -60,7 +61,7 @@ impl MemBio { /// Sets the BIO's EOF state. pub fn set_eof(&self, eof: bool) { let v = if eof { 0 } else { -1 }; - unsafe { ffi::BIO_set_mem_eof_return(self.bio, v); } + unsafe { ffi_extras::BIO_set_mem_eof_return(self.bio, v); } } } @@ -72,7 +73,7 @@ impl Read for MemBio { }; if ret <= 0 { - let is_eof = unsafe { ffi::BIO_eof(self.bio) }; + let is_eof = unsafe { ffi_extras::BIO_eof(self.bio) }; if is_eof != 0 { Ok(0) } else { diff --git a/openssl/src/crypto/hmac.rs b/openssl/src/crypto/hmac.rs index 5c9f7576..474cbc8a 100644 --- a/openssl/src/crypto/hmac.rs +++ b/openssl/src/crypto/hmac.rs @@ -21,6 +21,7 @@ use std::io::prelude::*; use crypto::hash::Type; use ffi; +use ffi_extras; #[derive(PartialEq, Copy, Clone)] enum State { @@ -88,9 +89,10 @@ impl HMAC { #[inline] fn init_once(&mut self, md: *const ffi::EVP_MD, key: &[u8]) { unsafe { - let r = ffi::HMAC_Init_ex(&mut self.ctx, - key.as_ptr(), key.len() as c_int, - md, 0 as *const _); + let r = ffi_extras::HMAC_Init_ex(&mut self.ctx, + key.as_ptr(), + key.len() as c_int, + md, 0 as *const _); assert_eq!(r, 1); } self.state = Reset; @@ -106,9 +108,9 @@ impl HMAC { // If the key and/or md is not supplied it's reused from the last time // avoiding redundant initializations unsafe { - let r = ffi::HMAC_Init_ex(&mut self.ctx, - 0 as *const _, 0, - 0 as *const _, 0 as *const _); + let r = ffi_extras::HMAC_Init_ex(&mut self.ctx, + 0 as *const _, 0, + 0 as *const _, 0 as *const _); assert_eq!(r, 1); } self.state = Reset; @@ -120,7 +122,7 @@ impl HMAC { self.init(); } unsafe { - let r = ffi::HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint); + let r = ffi_extras::HMAC_Update(&mut self.ctx, data.as_ptr(), data.len() as c_uint); assert_eq!(r, 1); } self.state = Updated; @@ -135,7 +137,7 @@ impl HMAC { let mut res: Vec = repeat(0).take(md_len).collect(); unsafe { let mut len = 0; - let r = ffi::HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut len); + let r = ffi_extras::HMAC_Final(&mut self.ctx, res.as_mut_ptr(), &mut len); self.state = Finalized; assert_eq!(len as usize, md_len); assert_eq!(r, 1); @@ -181,7 +183,7 @@ impl Drop for HMAC { if self.state != Finalized { let mut buf: Vec = repeat(0).take(self.type_.md_len()).collect(); let mut len = 0; - ffi::HMAC_Final(&mut self.ctx, buf.as_mut_ptr(), &mut len); + ffi_extras::HMAC_Final(&mut self.ctx, buf.as_mut_ptr(), &mut len); } ffi::HMAC_CTX_cleanup(&mut self.ctx); } diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index c7af3113..2fedd28f 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -6,6 +6,7 @@ extern crate libc; #[macro_use] extern crate lazy_static; extern crate openssl_sys as ffi; +extern crate openssl_sys_extras as ffi_extras; #[cfg(test)] extern crate rustc_serialize as serialize; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 735255e4..23364ef1 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -21,6 +21,7 @@ use std::slice; use bio::{MemBio}; use ffi; +use ffi_extras; use dh::DH; use ssl::error::{NonblockingSslError, SslError, SslSessionClosed, StreamError, OpenSslErrors}; use x509::{X509StoreContext, X509FileType, X509}; @@ -51,43 +52,43 @@ pub fn init() { bitflags! { flags SslContextOptions: u64 { - const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG, - const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG, - const SSL_OP_LEGACY_SERVER_CONNECT = ffi::SSL_OP_LEGACY_SERVER_CONNECT, - const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = ffi::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, - const SSL_OP_TLSEXT_PADDING = ffi::SSL_OP_TLSEXT_PADDING, - const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, - const SSL_OP_SAFARI_ECDHE_ECDSA_BUG = ffi::SSL_OP_SAFARI_ECDHE_ECDSA_BUG, - const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi::SSL_OP_SSLEAY_080_CLIENT_DH_BUG, - const SSL_OP_TLS_D5_BUG = ffi::SSL_OP_TLS_D5_BUG, - const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi::SSL_OP_TLS_BLOCK_PADDING_BUG, - const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, - const SSL_OP_NO_QUERY_MTU = ffi::SSL_OP_NO_QUERY_MTU, - const SSL_OP_COOKIE_EXCHANGE = ffi::SSL_OP_COOKIE_EXCHANGE, - const SSL_OP_NO_TICKET = ffi::SSL_OP_NO_TICKET, - const SSL_OP_CISCO_ANYCONNECT = ffi::SSL_OP_CISCO_ANYCONNECT, - const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = ffi::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, - const SSL_OP_NO_COMPRESSION = ffi::SSL_OP_NO_COMPRESSION, - const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = ffi::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, - const SSL_OP_SINGLE_ECDH_USE = ffi::SSL_OP_SINGLE_ECDH_USE, - const SSL_OP_SINGLE_DH_USE = ffi::SSL_OP_SINGLE_DH_USE, - const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi::SSL_OP_CIPHER_SERVER_PREFERENCE, - const SSL_OP_TLS_ROLLBACK_BUG = ffi::SSL_OP_TLS_ROLLBACK_BUG, - const SSL_OP_NO_SSLV2 = ffi::SSL_OP_NO_SSLv2, - const SSL_OP_NO_SSLV3 = ffi::SSL_OP_NO_SSLv3, - const SSL_OP_NO_DTLSV1 = ffi::SSL_OP_NO_DTLSv1, - const SSL_OP_NO_TLSV1 = ffi::SSL_OP_NO_TLSv1, - const SSL_OP_NO_DTLSV1_2 = ffi::SSL_OP_NO_DTLSv1_2, - const SSL_OP_NO_TLSV1_2 = ffi::SSL_OP_NO_TLSv1_2, - const SSL_OP_NO_TLSV1_1 = ffi::SSL_OP_NO_TLSv1_1, - const SSL_OP_NETSCAPE_CA_DN_BUG = ffi::SSL_OP_NETSCAPE_CA_DN_BUG, - const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = ffi::SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, - const SSL_OP_CRYPTOPRO_TLSEXT_BUG = ffi::SSL_OP_CRYPTOPRO_TLSEXT_BUG, - const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = ffi::SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, - const SSL_OP_MSIE_SSLV2_RSA_PADDING = ffi::SSL_OP_MSIE_SSLV2_RSA_PADDING, - const SSL_OP_PKCS1_CHECK_1 = ffi::SSL_OP_PKCS1_CHECK_1, - const SSL_OP_PKCS1_CHECK_2 = ffi::SSL_OP_PKCS1_CHECK_2, - const SSL_OP_EPHEMERAL_RSA = ffi::SSL_OP_EPHEMERAL_RSA, + const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi_extras::SSL_OP_MICROSOFT_SESS_ID_BUG, + const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi_extras::SSL_OP_NETSCAPE_CHALLENGE_BUG, + const SSL_OP_LEGACY_SERVER_CONNECT = ffi_extras::SSL_OP_LEGACY_SERVER_CONNECT, + const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = ffi_extras::SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, + const SSL_OP_TLSEXT_PADDING = ffi_extras::SSL_OP_TLSEXT_PADDING, + const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = ffi_extras::SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER, + const SSL_OP_SAFARI_ECDHE_ECDSA_BUG = ffi_extras::SSL_OP_SAFARI_ECDHE_ECDSA_BUG, + const SSL_OP_SSLEAY_080_CLIENT_DH_BUG = ffi_extras::SSL_OP_SSLEAY_080_CLIENT_DH_BUG, + const SSL_OP_TLS_D5_BUG = ffi_extras::SSL_OP_TLS_D5_BUG, + const SSL_OP_TLS_BLOCK_PADDING_BUG = ffi_extras::SSL_OP_TLS_BLOCK_PADDING_BUG, + const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = ffi_extras::SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, + const SSL_OP_NO_QUERY_MTU = ffi_extras::SSL_OP_NO_QUERY_MTU, + const SSL_OP_COOKIE_EXCHANGE = ffi_extras::SSL_OP_COOKIE_EXCHANGE, + const SSL_OP_NO_TICKET = ffi_extras::SSL_OP_NO_TICKET, + const SSL_OP_CISCO_ANYCONNECT = ffi_extras::SSL_OP_CISCO_ANYCONNECT, + const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = ffi_extras::SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, + const SSL_OP_NO_COMPRESSION = ffi_extras::SSL_OP_NO_COMPRESSION, + const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = ffi_extras::SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, + const SSL_OP_SINGLE_ECDH_USE = ffi_extras::SSL_OP_SINGLE_ECDH_USE, + const SSL_OP_SINGLE_DH_USE = ffi_extras::SSL_OP_SINGLE_DH_USE, + const SSL_OP_CIPHER_SERVER_PREFERENCE = ffi_extras::SSL_OP_CIPHER_SERVER_PREFERENCE, + const SSL_OP_TLS_ROLLBACK_BUG = ffi_extras::SSL_OP_TLS_ROLLBACK_BUG, + const SSL_OP_NO_SSLV2 = ffi_extras::SSL_OP_NO_SSLv2, + const SSL_OP_NO_SSLV3 = ffi_extras::SSL_OP_NO_SSLv3, + const SSL_OP_NO_DTLSV1 = ffi_extras::SSL_OP_NO_DTLSv1, + const SSL_OP_NO_TLSV1 = ffi_extras::SSL_OP_NO_TLSv1, + const SSL_OP_NO_DTLSV1_2 = ffi_extras::SSL_OP_NO_DTLSv1_2, + const SSL_OP_NO_TLSV1_2 = ffi_extras::SSL_OP_NO_TLSv1_2, + const SSL_OP_NO_TLSV1_1 = ffi_extras::SSL_OP_NO_TLSv1_1, + const SSL_OP_NETSCAPE_CA_DN_BUG = ffi_extras::SSL_OP_NETSCAPE_CA_DN_BUG, + const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = ffi_extras::SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG, + const SSL_OP_CRYPTOPRO_TLSEXT_BUG = ffi_extras::SSL_OP_CRYPTOPRO_TLSEXT_BUG, + const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = ffi_extras::SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG, + const SSL_OP_MSIE_SSLV2_RSA_PADDING = ffi_extras::SSL_OP_MSIE_SSLV2_RSA_PADDING, + const SSL_OP_PKCS1_CHECK_1 = ffi_extras::SSL_OP_PKCS1_CHECK_1, + const SSL_OP_PKCS1_CHECK_2 = ffi_extras::SSL_OP_PKCS1_CHECK_2, + const SSL_OP_EPHEMERAL_RSA = ffi_extras::SSL_OP_EPHEMERAL_RSA, const SSL_OP_ALL = SSL_OP_MICROSOFT_SESS_ID_BUG.bits|SSL_OP_NETSCAPE_CHALLENGE_BUG.bits |SSL_OP_LEGACY_SERVER_CONNECT.bits|SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.bits |SSL_OP_TLSEXT_PADDING.bits|SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER.bits @@ -493,13 +494,13 @@ impl SslContext { pub fn set_read_ahead(&self, m: u32) { unsafe { - ffi::SSL_CTX_set_read_ahead(self.ctx, m as c_long); + ffi_extras::SSL_CTX_set_read_ahead(self.ctx, m as c_long); } } pub fn set_tmp_dh(&self, dh: DH) -> Result<(),SslError> { wrap_ssl_result(unsafe { - ffi::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32 + ffi_extras::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32 }) } @@ -546,7 +547,7 @@ impl SslContext { pub fn add_extra_chain_cert(&mut self, cert: &X509) -> Result<(),SslError> { wrap_ssl_result( unsafe { - ffi::SSL_CTX_add_extra_chain_cert(self.ctx, cert.get_handle()) as c_int + ffi_extras::SSL_CTX_add_extra_chain_cert(self.ctx, cert.get_handle()) as c_int }) } @@ -592,21 +593,21 @@ impl SslContext { pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(),SslError> { wrap_ssl_result( unsafe { - ffi::SSL_CTX_set_ecdh_auto(self.ctx, onoff as c_int) + ffi_extras::SSL_CTX_set_ecdh_auto(self.ctx, onoff as c_int) }) } pub fn set_options(&mut self, option: SslContextOptions) -> SslContextOptions { let raw_bits = option.bits(); let ret = unsafe { - ffi::SSL_CTX_set_options(self.ctx, raw_bits) + ffi_extras::SSL_CTX_set_options(self.ctx, raw_bits) }; SslContextOptions::from_bits(ret).unwrap() } pub fn get_options(&mut self) -> SslContextOptions { let ret = unsafe { - ffi::SSL_CTX_get_options(self.ctx) + ffi_extras::SSL_CTX_get_options(self.ctx) }; SslContextOptions::from_bits(ret).unwrap() } @@ -614,7 +615,7 @@ impl SslContext { pub fn clear_options(&mut self, option: SslContextOptions) -> SslContextOptions { let raw_bits = option.bits(); let ret = unsafe { - ffi::SSL_CTX_clear_options(self.ctx, raw_bits) + ffi_extras::SSL_CTX_clear_options(self.ctx, raw_bits) }; SslContextOptions::from_bits(ret).unwrap() } @@ -785,7 +786,7 @@ impl Ssl { /// Sets the host name to be used with SNI (Server Name Indication). pub fn set_hostname(&self, hostname: &str) -> Result<(), SslError> { let cstr = CString::new(hostname).unwrap(); - let ret = unsafe { ffi::SSL_set_tlsext_host_name(self.ssl, cstr.as_ptr()) }; + let ret = unsafe { ffi_extras::SSL_set_tlsext_host_name(self.ssl, cstr.as_ptr()) }; // For this case, 0 indicates failure. if ret == 0 { @@ -1435,7 +1436,7 @@ impl NonblockingSslStream { fn new_base(ssl: Ssl, stream: S, sock: c_int) -> Result, SslError> { unsafe { let bio = try_ssl_null!(ffi::BIO_new_socket(sock, 0)); - ffi::BIO_set_nbio(bio, 1); + ffi_extras::BIO_set_nbio(bio, 1); ffi::SSL_set_bio(ssl.ssl, bio, bio); } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 91daa66a..8148749a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -18,6 +18,7 @@ use crypto::hash::Type as HashType; use crypto::pkey::{PKey,Parts}; use crypto::rand::rand_bytes; use ffi; +use ffi_extras; use ssl::error::{SslError, StreamError}; use nid; @@ -400,7 +401,7 @@ impl X509Generator { let req = ffi::X509_to_X509_REQ(cert.handle, ptr::null_mut(), ptr::null()); try_ssl_null!(req); - let exts = ffi::X509_get_extensions(cert.handle); + let exts = ffi_extras::X509_get_extensions(cert.handle); if exts != ptr::null_mut() { try_ssl!(ffi::X509_REQ_add_extensions(req,exts)); } From f36f610d079df6053bedec8b00d7c3bdb376815d Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Wed, 11 Nov 2015 22:35:11 -0800 Subject: [PATCH 25/29] Move HMAC_CTX_copy to sys-extras --- openssl-sys-extras/src/lib.rs | 3 +++ openssl-sys/src/lib.rs | 1 - openssl/src/crypto/hmac.rs | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/openssl-sys-extras/src/lib.rs b/openssl-sys-extras/src/lib.rs index c602c514..bd3598eb 100644 --- a/openssl-sys-extras/src/lib.rs +++ b/openssl-sys-extras/src/lib.rs @@ -38,6 +38,9 @@ extern { #[cfg_attr(not(target_os = "nacl"), link_name = "HMAC_Update_shim")] pub fn HMAC_Update(ctx: *mut HMAC_CTX, input: *const u8, len: c_uint) -> c_int; + // This isn't defined in < 1.0 so we copy the implementation there + pub fn HMAC_CTX_copy(dst: *mut HMAC_CTX, src: *const HMAC_CTX) -> c_int; + // These functions are defined in OpenSSL as macros, so we shim them #[link_name = "BIO_eof_shim"] pub fn BIO_eof(b: *mut BIO) -> c_int; diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index e0964d84..674b303f 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -454,7 +454,6 @@ extern "C" { pub fn HMAC_CTX_init(ctx: *mut HMAC_CTX); pub fn HMAC_CTX_cleanup(ctx: *mut HMAC_CTX); - pub fn HMAC_CTX_copy(dst: *mut HMAC_CTX, src: *const HMAC_CTX) -> c_int; pub fn PEM_read_bio_DHparams(bio: *mut BIO, out: *mut *mut DH, callback: Option, user_data: *mut c_void) -> *mut DH; diff --git a/openssl/src/crypto/hmac.rs b/openssl/src/crypto/hmac.rs index 474cbc8a..2c329c1b 100644 --- a/openssl/src/crypto/hmac.rs +++ b/openssl/src/crypto/hmac.rs @@ -170,7 +170,7 @@ impl Clone for HMAC { let mut ctx: ffi::HMAC_CTX; unsafe { ctx = ::std::mem::uninitialized(); - let r = ffi::HMAC_CTX_copy(&mut ctx, &self.ctx); + let r = ffi_extras::HMAC_CTX_copy(&mut ctx, &self.ctx); assert_eq!(r, 1); } HMAC { ctx: ctx, type_: self.type_, state: self.state } From 1bc96a5b3dce5de6a161a0f04cb38d3b81e8615e Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 16 Nov 2015 20:44:38 -0800 Subject: [PATCH 26/29] Remove deprecated X509 methods --- openssl/src/x509/mod.rs | 41 ++++------------------------------------- 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 8148749a..5574077a 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -103,10 +103,6 @@ impl X509StoreContext { } } -// Backwards-compatibility -pub use self::extension::KeyUsageOption as KeyUsage; -pub use self::extension::ExtKeyUsageOption as ExtKeyUsage; - #[allow(non_snake_case)] /// Generator of private key/certificate pairs /// @@ -121,14 +117,15 @@ pub use self::extension::ExtKeyUsageOption as ExtKeyUsage; /// use std::path::Path; /// /// use openssl::crypto::hash::Type; -/// use openssl::x509::{KeyUsage, X509Generator}; +/// use openssl::x509::X509Generator; +/// use openssl::x509::extension::{Extension, KeyUsageOption}; /// /// let gen = X509Generator::new() /// .set_bitlength(2048) /// .set_valid_period(365*2) -/// .set_CN("SuperMegaCorp Inc.") +/// .add_name("CN".to_owned(), "SuperMegaCorp Inc.".to_owned()) /// .set_sign_hash(Type::SHA256) -/// .set_usage(&[KeyUsage::DigitalSignature]); +/// .add_extension(Extension::KeyUsage(vec![KeyUsageOption::DigitalSignature])); /// /// let (cert, pkey) = gen.generate().unwrap(); /// @@ -184,22 +181,6 @@ impl X509Generator { self } - #[allow(non_snake_case)] - /// (deprecated) Sets Common Name of certificate - /// - /// This function is deprecated, use `X509Generator.add_name` instead. - /// Don't use this function AND the `add_name` method - pub fn set_CN(mut self, CN: &str) -> X509Generator { - match self.names.get_mut(0) { - Some(&mut(_,ref mut val)) => *val=CN.to_string(), - _ => {} /* would move push here, but borrow checker won't let me */ - } - if self.names.len()==0 { - self.names.push(("CN".to_string(),CN.to_string())); - } - self - } - /// Add attribute to the name of the certificate /// /// ``` @@ -223,20 +204,6 @@ impl X509Generator { self } - /// (deprecated) Sets what for certificate could be used - /// - /// This function is deprecated, use `X509Generator.add_extension` instead. - pub fn set_usage(self, purposes: &[KeyUsage]) -> X509Generator { - self.add_extension(Extension::KeyUsage(purposes.to_owned())) - } - - /// (deprecated) Sets allowed extended usage of certificate - /// - /// This function is deprecated, use `X509Generator.add_extension` instead. - pub fn set_ext_usage(self, purposes: &[ExtKeyUsage]) -> X509Generator { - self.add_extension(Extension::ExtKeyUsage(purposes.to_owned())) - } - /// Add an extension to a certificate /// /// If the extension already exists, it will be replaced. From be7171ee10bbdbfa005ca4ae4f6ec87c05f82c25 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 16 Nov 2015 21:02:23 -0800 Subject: [PATCH 27/29] Don't depend on wildcard windows deps --- openssl-sys/Cargo.toml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ebcddfc6..fea58bc5 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -39,15 +39,16 @@ libressl-pnacl-sys = "2.1.0" libressl-pnacl-sys = "2.1.0" [target.arm-unknown-nacl.dependencies] libressl-pnacl-sys = "2.1.0" + [target.i686-pc-windows-gnu] -user32-sys = "*" -gdi32-sys = "*" +user32-sys = "0.1" +gdi32-sys = "0.1" [target.x86_64-pc-windows-gnu] -user32-sys = "*" -gdi32-sys = "*" +user32-sys = "0.1" +gdi32-sys = "0.1" [target.i686-pc-windows-msvc] -user32-sys = "*" -gdi32-sys = "*" +user32-sys = "0.1" +gdi32-sys = "0.1" [target.x86_64-pc-windows-msvc] -user32-sys = "*" -gdi32-sys = "*" +user32-sys = "0.1" +gdi32-sys = "0.1" From 9ebf0944377dec81fff25b9942e4ab9bfe67cfb0 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 16 Nov 2015 21:03:34 -0800 Subject: [PATCH 28/29] Mention why the windows deps are there --- openssl-sys/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index fea58bc5..6bfabc4e 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -40,6 +40,7 @@ libressl-pnacl-sys = "2.1.0" [target.arm-unknown-nacl.dependencies] libressl-pnacl-sys = "2.1.0" +# Only here to make sure we link to these in a static build on Windows [target.i686-pc-windows-gnu] user32-sys = "0.1" gdi32-sys = "0.1" From 82547f53d7946bb1d85ca0793d92873328a7632c Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 16 Nov 2015 20:39:20 -0800 Subject: [PATCH 29/29] Release v0.7.0 --- README.md | 2 +- openssl-sys-extras/Cargo.toml | 9 +++++++-- openssl-sys-extras/src/lib.rs | 1 + openssl-sys/Cargo.toml | 4 ++-- openssl-sys/src/lib.rs | 2 +- openssl/Cargo.toml | 8 ++++---- openssl/src/lib.rs | 2 +- 7 files changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index aeb1d42c..4820d986 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Build Status](https://travis-ci.org/sfackler/rust-openssl.svg?branch=master)](https://travis-ci.org/sfackler/rust-openssl) -[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl). +[Documentation](https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl). ## Building diff --git a/openssl-sys-extras/Cargo.toml b/openssl-sys-extras/Cargo.toml index 031b2124..a7f58f3c 100644 --- a/openssl-sys-extras/Cargo.toml +++ b/openssl-sys-extras/Cargo.toml @@ -1,7 +1,12 @@ [package] name = "openssl-sys-extras" -version = "0.6.7" +version = "0.7.0" authors = ["Steven Fackler "] +license = "MIT" +description = "Extra FFI bindings to OpenSSL that require a C shim" +repository = "https://github.com/sfackler/rust-openssl" +documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl_sys_extras" + links = "openssl_shim" build = "build.rs" @@ -10,7 +15,7 @@ ecdh_auto = [] [dependencies] libc = "0.2" -openssl-sys = { version = "0.6.7", path = "../openssl-sys" } +openssl-sys = { version = "0.7", path = "../openssl-sys" } [build-dependencies] gcc = "0.3" diff --git a/openssl-sys-extras/src/lib.rs b/openssl-sys-extras/src/lib.rs index bd3598eb..a768f436 100644 --- a/openssl-sys-extras/src/lib.rs +++ b/openssl-sys-extras/src/lib.rs @@ -1,4 +1,5 @@ #![allow(non_upper_case_globals, non_snake_case)] +#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")] extern crate openssl_sys; extern crate libc; diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 6bfabc4e..6d625e7a 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -1,12 +1,12 @@ [package] name = "openssl-sys" -version = "0.6.7" +version = "0.7.0" authors = ["Alex Crichton ", "Steven Fackler "] license = "MIT" description = "FFI bindings to OpenSSL" repository = "https://github.com/sfackler/rust-openssl" -documentation = "https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl_sys" +documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl_sys" links = "openssl" build = "build.rs" diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 674b303f..018f8bca 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1,6 +1,6 @@ #![allow(non_camel_case_types, non_upper_case_globals, non_snake_case)] #![allow(dead_code)] -#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.6.7")] +#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")] extern crate libc; diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 2469fe40..7cc29a1f 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -1,11 +1,11 @@ [package] name = "openssl" -version = "0.6.7" +version = "0.7.0" authors = ["Steven Fackler "] license = "Apache-2.0" description = "OpenSSL bindings" repository = "https://github.com/sfackler/rust-openssl" -documentation = "https://sfackler.github.io/rust-openssl/doc/v0.6.7/openssl" +documentation = "https://sfackler.github.io/rust-openssl/doc/v0.7.0/openssl" readme = "../README.md" keywords = ["crypto", "tls", "ssl", "dtls"] @@ -27,8 +27,8 @@ ecdh_auto = ["openssl-sys-extras/ecdh_auto"] bitflags = ">= 0.2, < 0.4" lazy_static = "0.1" libc = "0.2" -openssl-sys = { version = "0.6.7", path = "../openssl-sys" } -openssl-sys-extras = { version = "0.6.7", path = "../openssl-sys-extras" } +openssl-sys = { version = "0.7", path = "../openssl-sys" } +openssl-sys-extras = { version = "0.7", path = "../openssl-sys-extras" } [dev-dependencies] rustc-serialize = "0.3" diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 2fedd28f..66ce1894 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -1,4 +1,4 @@ -#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.6.7")] +#![doc(html_root_url="https://sfackler.github.io/rust-openssl/doc/v0.7.0")] #[macro_use] extern crate bitflags;