diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 2eef0741..5a09eae1 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1219,6 +1219,12 @@ pub const RSA_PKCS1_PSS_PADDING: c_int = 6; pub const SHA_LBLOCK: c_int = 16; +pub const SSL3_AD_ILLEGAL_PARAMETER: c_int = 47; +pub const SSL_AD_ILLEGAL_PARAMETER: c_int = SSL3_AD_ILLEGAL_PARAMETER; + +pub const TLS1_AD_DECODE_ERROR: c_int = 50; +pub const SSL_AD_DECODE_ERROR: c_int = TLS1_AD_DECODE_ERROR; + pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112; pub const SSL_AD_UNRECOGNIZED_NAME: c_int = TLS1_AD_UNRECOGNIZED_NAME; diff --git a/openssl-sys/src/ossl10x.rs b/openssl-sys/src/ossl10x.rs index 09185160..9b79fb57 100644 --- a/openssl-sys/src/ossl10x.rs +++ b/openssl-sys/src/ossl10x.rs @@ -975,4 +975,7 @@ extern "C" { pub fn SSLeay() -> c_ulong; pub fn SSLeay_version(key: c_int) -> *const c_char; + + #[cfg(ossl102)] + pub fn SSL_extension_supported(ext_type: c_uint) -> c_int; } diff --git a/openssl-sys/src/ossl110.rs b/openssl-sys/src/ossl110.rs index 1902af75..580c3f72 100644 --- a/openssl-sys/src/ossl110.rs +++ b/openssl-sys/src/ossl110.rs @@ -364,7 +364,7 @@ extern "C" { ) -> *mut PKCS12; pub fn X509_REQ_get_version(req: *const X509_REQ) -> c_long; pub fn X509_REQ_get_subject_name(req: *const X509_REQ) -> *mut ::X509_NAME; - + pub fn SSL_extension_supported(ext_type: c_uint) -> c_int; pub fn ECDSA_SIG_get0(sig: *const ECDSA_SIG, pr: *mut *const BIGNUM, ps: *mut *const BIGNUM); pub fn ECDSA_SIG_set0(sig: *mut ECDSA_SIG, pr: *mut BIGNUM, ps: *mut BIGNUM) -> c_int; } diff --git a/openssl-sys/src/ossl111.rs b/openssl-sys/src/ossl111.rs index 27bc4b54..cca06fda 100644 --- a/openssl-sys/src/ossl111.rs +++ b/openssl-sys/src/ossl111.rs @@ -1,15 +1,67 @@ -use libc::{c_char, c_int, c_ulong}; +use libc::{c_char, c_uchar, c_int, c_uint, c_ulong, size_t, c_void}; pub type SSL_CTX_keylog_cb_func = Option; +pub type SSL_custom_ext_add_cb_ex = + Option c_int>; + +pub type SSL_custom_ext_free_cb_ex = + Option; + +pub type SSL_custom_ext_parse_cb_ex = + Option c_int>; + pub const SSL_COOKIE_LENGTH: c_int = 255; pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_ulong = 0x00100000; pub const TLS1_3_VERSION: c_int = 0x304; +pub const SSL_EXT_TLS_ONLY: c_uint = 0x0001; +/* This extension is only allowed in DTLS */ +pub const SSL_EXT_DTLS_ONLY: c_uint = 0x0002; +/* Some extensions may be allowed in DTLS but we don't implement them for it */ +pub const SSL_EXT_TLS_IMPLEMENTATION_ONLY: c_uint = 0x0004; +/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */ +pub const SSL_EXT_SSL3_ALLOWED: c_uint = 0x0008; +/* Extension is only defined for TLS1.2 and below */ +pub const SSL_EXT_TLS1_2_AND_BELOW_ONLY: c_uint = 0x0010; +/* Extension is only defined for TLS1.3 and above */ +pub const SSL_EXT_TLS1_3_ONLY: c_uint = 0x0020; +/* Ignore this extension during parsing if we are resuming */ +pub const SSL_EXT_IGNORE_ON_RESUMPTION: c_uint = 0x0040; +pub const SSL_EXT_CLIENT_HELLO: c_uint = 0x0080; +/* Really means TLS1.2 or below */ +pub const SSL_EXT_TLS1_2_SERVER_HELLO: c_uint = 0x0100; +pub const SSL_EXT_TLS1_3_SERVER_HELLO: c_uint = 0x0200; +pub const SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS: c_uint = 0x0400; +pub const SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST: c_uint = 0x0800; +pub const SSL_EXT_TLS1_3_CERTIFICATE: c_uint = 0x1000; +pub const SSL_EXT_TLS1_3_NEW_SESSION_TICKET: c_uint = 0x2000; +pub const SSL_EXT_TLS1_3_CERTIFICATE_REQUEST: c_uint = 0x4000; + + extern "C" { pub fn SSL_CTX_set_keylog_callback(ctx: *mut ::SSL_CTX, cb: SSL_CTX_keylog_cb_func); + pub fn SSL_CTX_add_custom_ext(ctx: *mut ::SSL_CTX, ext_type: c_uint, context: c_uint, + add_cb: SSL_custom_ext_add_cb_ex, + free_cb: SSL_custom_ext_free_cb_ex, + add_arg: *mut c_void, + parse_cb: SSL_custom_ext_parse_cb_ex, + parse_arg: *mut c_void) -> c_int; pub fn SSL_stateless(s: *mut ::SSL) -> c_int; } diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 60d40fc7..0531274c 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -1,5 +1,7 @@ use ffi; use libc::{c_char, c_int, c_uchar, c_uint, c_void}; +#[cfg(all(feature = "v111", ossl111))] +use libc::size_t; use std::ffi::CStr; use std::ptr; use std::slice; @@ -20,6 +22,10 @@ use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslContext all(feature = "v111", ossl111)))] use ssl::AlpnError; use x509::X509StoreContextRef; +#[cfg(all(feature = "v111", ossl111))] +use ssl::ExtensionContext; +#[cfg(all(feature = "v111", ossl111))] +use x509::X509Ref; pub extern "C" fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int where @@ -416,3 +422,90 @@ where callback(ssl, slice) as c_int } } + +#[cfg(all(feature = "v111", ossl111))] +pub struct CustomExtAddState(Option); + +#[cfg(all(feature = "v111", ossl111))] +pub extern "C" fn raw_custom_ext_add(ssl: *mut ffi::SSL, _: c_uint, + context: c_uint, + out: *mut *const c_uchar, + outlen: *mut size_t, x: *mut ffi::X509, + chainidx: size_t, al: *mut c_int, + _: *mut c_void) + -> c_int + where F: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result, SslAlert> + 'static, + T: AsRef<[u8]> + 'static, +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::()); + let callback = &*(callback as *mut F); + let ssl = SslRef::from_ptr_mut(ssl); + let ectx = ExtensionContext::from_bits_truncate(context); + let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; + match (callback)(ssl, ectx, cert) { + Ok(None) => 0, + Ok(Some(buf)) => { + *outlen = buf.as_ref().len() as size_t; + *out = buf.as_ref().as_ptr(); + + let idx = get_ssl_callback_idx::>(); + let ptr = ffi::SSL_get_ex_data(ssl.as_ptr(), idx); + if ptr.is_null() { + let x = Box::into_raw(Box::>::new(CustomExtAddState(Some(buf)))) as *mut c_void; + ffi::SSL_set_ex_data(ssl.as_ptr(), idx, x); + } else { + *(ptr as *mut _) = CustomExtAddState(Some(buf)) + } + 1 + } + Err(alert) => { + *al = alert.0; + -1 + } + } + } +} + +#[cfg(all(feature = "v111", ossl111))] +pub extern "C" fn raw_custom_ext_free(ssl: *mut ffi::SSL, _: c_uint, + _: c_uint, + _: *mut *const c_uchar, + _: *mut c_void) + where T: 'static +{ + unsafe { + let state = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::>()); + let state = &mut (*(state as *mut CustomExtAddState)).0; + state.take(); + } +} + +#[cfg(all(feature = "v111", ossl111))] +pub extern "C" fn raw_custom_ext_parse(ssl: *mut ffi::SSL, _: c_uint, + context: c_uint, + input: *const c_uchar, + inlen: size_t, x: *mut ffi::X509, + chainidx: size_t, al: *mut c_int, + _: *mut c_void) + -> c_int + where F: FnMut(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::()); + let ssl = SslRef::from_ptr_mut(ssl); + let callback = &mut *(callback as *mut F); + let ectx = ExtensionContext::from_bits_truncate(context); + let slice = slice::from_raw_parts(input as *const u8, inlen as usize); + let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; + match callback(ssl, ectx, slice, cert) { + Ok(()) => 1, + Err(alert) => { + *al = alert.0; + 0 + } + } + } +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d7d98949..a18ef3a0 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -366,6 +366,36 @@ bitflags! { } } +#[cfg(all(feature = "v111", ossl111))] +bitflags! { + /// Which messages and under which conditions an extension should be added or expected. + pub struct ExtensionContext: c_uint { + /// This extension is only allowed in TLS + const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; + /// This extension is only allowed in DTLS + const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY; + /// Some extensions may be allowed in DTLS but we don't implement them for it + const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY; + /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is + const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED; + /// Extension is only defined for TLS1.2 and below + const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY; + /// Extension is only defined for TLS1.3 and above + const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY; + /// Ignore this extension during parsing if we are resuming + const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION; + const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO; + /// Really means TLS1.2 or below + const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO; + const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO; + const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; + const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST; + const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE; + const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET; + const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST; + } +} + /// An identifier of the format of a certificate or key file. #[derive(Copy, Clone)] pub struct SslFiletype(c_int); @@ -504,6 +534,8 @@ pub struct SslAlert(c_int); impl SslAlert { /// Alert 112 - `unrecognized_name`. pub const UNRECOGNIZED_NAME: SslAlert = SslAlert(ffi::SSL_AD_UNRECOGNIZED_NAME); + pub const ILLEGAL_PARAMETER: SslAlert = SslAlert(ffi::SSL_AD_ILLEGAL_PARAMETER); + pub const DECODE_ERROR: SslAlert = SslAlert(ffi::SSL_AD_DECODE_ERROR); } /// An error returned from an ALPN selection callback. @@ -1474,6 +1506,50 @@ impl SslContextBuilder { } } + /// Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions. + /// + /// This corresponds to [`SSL_CTX_add_custom_ext`]. + /// + /// [`SSL_CTX_add_custom_ext`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html + #[cfg(all(feature = "v111", ossl111))] + pub fn add_custom_ext( + &mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn + ) -> Result<(), ErrorStack> + where AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) + -> Result, SslAlert> + 'static + Sync + Send, + T: AsRef<[u8]> + 'static, + ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) + -> Result<(), SslAlert> + 'static + Sync + Send, + { + let ret = unsafe { + let add_cb = Box::new(add_cb); + ffi::SSL_CTX_set_ex_data( + self.as_ptr(), + get_callback_idx::(), + Box::into_raw(add_cb) as *mut _ + ); + + let parse_cb = Box::new(parse_cb); + ffi::SSL_CTX_set_ex_data( + self.as_ptr(), + get_callback_idx::(), + Box::into_raw(parse_cb) as *mut _, + ); + + ffi::SSL_CTX_add_custom_ext(self.as_ptr(), ext_type as c_uint, context.bits(), + Some(raw_custom_ext_add::), + Some(raw_custom_ext_free::), + ptr::null_mut(), + Some(raw_custom_ext_parse::), + ptr::null_mut()) + }; + if ret == 1 { + Ok(()) + } else { + Err(ErrorStack::get()) + } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index ae8c12de..8be3e4d6 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -1353,6 +1353,44 @@ fn no_version_overlap() { guard.join().unwrap(); } +#[test] +#[cfg(all(feature = "v111", ossl111))] +fn custom_extensions() { + static FOUND_EXTENSION: AtomicBool = ATOMIC_BOOL_INIT; + + let listener = TcpListener::bind("127.0.0.1:0").unwrap(); + let addr = listener.local_addr().unwrap(); + + let guard = thread::spawn(move || { + let stream = listener.accept().unwrap().0; + let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + ctx.set_certificate_file(&Path::new("test/cert.pem"), SslFiletype::PEM) + .unwrap(); + ctx.set_private_key_file(&Path::new("test/key.pem"), SslFiletype::PEM) + .unwrap(); + ctx.add_custom_ext( + 12345, ssl::ExtensionContext::CLIENT_HELLO, + |_, _, _| -> Result, _> { unreachable!() }, + |_, _, data, _| { FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); Ok(()) } + ).unwrap(); + let ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.accept(stream).unwrap(); + }); + + let stream = TcpStream::connect(addr).unwrap(); + let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + ctx.add_custom_ext( + 12345, ssl::ExtensionContext::CLIENT_HELLO, + |_, _, _| Ok(Some(b"hello")), + |_, _, _, _| unreachable!() + ).unwrap(); + let ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.connect(stream).unwrap(); + + guard.join().unwrap(); + assert!(FOUND_EXTENSION.load(Ordering::SeqCst)); +} + fn _check_kinds() { fn is_send() {} fn is_sync() {} diff --git a/systest/build.rs b/systest/build.rs index 76d0a950..a3aa3386 100644 --- a/systest/build.rs +++ b/systest/build.rs @@ -109,7 +109,7 @@ fn main() { cfg.skip_signededness(|s| { s.ends_with("_cb") || s.ends_with("_CB") || s.ends_with("_cb_fn") || s.starts_with("CRYPTO_") || s == "PasswordCallback" - || s.ends_with("_cb_func") + || s.ends_with("_cb_func") || s.ends_with("_cb_ex") }); cfg.field_name(|_s, field| { if field == "type_" {