min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #860 from Ralith/custom-extensions 

Custom extensions
This commit is contained in:
Steven Fackler 2018-03-11 15:33:42 -07:00 committed by GitHub
parent 1b830c3fb7 d0329473bd
commit 0bc7dd9034
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 271 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openssl-sys/src/lib.rs
View File

@ -1219,6 +1219,12 @@ pub const RSA_PKCS1_PSS_PADDING: c_int = 6;
pub const SHA_LBLOCK: c_int = 16;
pub const SSL3_AD_ILLEGAL_PARAMETER: c_int = 47;
pub const SSL_AD_ILLEGAL_PARAMETER: c_int = SSL3_AD_ILLEGAL_PARAMETER;
pub const TLS1_AD_DECODE_ERROR: c_int = 50;
pub const SSL_AD_DECODE_ERROR: c_int = TLS1_AD_DECODE_ERROR;
pub const TLS1_AD_UNRECOGNIZED_NAME: c_int = 112;
pub const SSL_AD_UNRECOGNIZED_NAME: c_int = TLS1_AD_UNRECOGNIZED_NAME;

3
openssl-sys/src/ossl10x.rs
View File

@ -975,4 +975,7 @@ extern "C" {
pub fn SSLeay() -> c_ulong;
pub fn SSLeay_version(key: c_int) -> *const c_char;
#[cfg(ossl102)]
pub fn SSL_extension_supported(ext_type: c_uint) -> c_int;
}

2
openssl-sys/src/ossl110.rs
View File

@ -364,7 +364,7 @@ extern "C" {
) -> *mut PKCS12;
pub fn X509_REQ_get_version(req: *const X509_REQ) -> c_long;
pub fn X509_REQ_get_subject_name(req: *const X509_REQ) -> *mut ::X509_NAME;
pub fn SSL_extension_supported(ext_type: c_uint) -> c_int;
pub fn ECDSA_SIG_get0(sig: *const ECDSA_SIG, pr: *mut *const BIGNUM, ps: *mut *const BIGNUM);
pub fn ECDSA_SIG_set0(sig: *mut ECDSA_SIG, pr: *mut BIGNUM, ps: *mut BIGNUM) -> c_int;
}

54
openssl-sys/src/ossl111.rs
View File

@ -1,15 +1,67 @@
use libc::{c_char, c_int, c_ulong};
use libc::{c_char, c_uchar, c_int, c_uint, c_ulong, size_t, c_void};
pub type SSL_CTX_keylog_cb_func =
Option<unsafe extern "C" fn(ssl: *const ::SSL, line: *const c_char)>;
pub type SSL_custom_ext_add_cb_ex =
Option<unsafe extern "C" fn(ssl: *mut ::SSL, ext_type: c_uint,
context: c_uint,
out: *mut *const c_uchar,
outlen: *mut size_t, x: *mut ::X509,
chainidx: size_t, al: *mut c_int,
add_arg: *mut c_void) -> c_int>;
pub type SSL_custom_ext_free_cb_ex =
Option<unsafe extern "C" fn(ssl: *mut ::SSL, ext_type: c_uint,
context: c_uint,
out: *mut *const c_uchar,
add_arg: *mut c_void)>;
pub type SSL_custom_ext_parse_cb_ex =
Option<unsafe extern "C" fn(ssl: *mut ::SSL, ext_type: c_uint,
context: c_uint,
input: *const c_uchar,
inlen: size_t, x: *mut ::X509,
chainidx: size_t, al: *mut c_int,
parse_arg: *mut c_void) -> c_int>;
pub const SSL_COOKIE_LENGTH: c_int = 255;
pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_ulong = 0x00100000;
pub const TLS1_3_VERSION: c_int = 0x304;
pub const SSL_EXT_TLS_ONLY: c_uint = 0x0001;
/* This extension is only allowed in DTLS */
pub const SSL_EXT_DTLS_ONLY: c_uint = 0x0002;
/* Some extensions may be allowed in DTLS but we don't implement them for it */
pub const SSL_EXT_TLS_IMPLEMENTATION_ONLY: c_uint = 0x0004;
/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
pub const SSL_EXT_SSL3_ALLOWED: c_uint = 0x0008;
/* Extension is only defined for TLS1.2 and below */
pub const SSL_EXT_TLS1_2_AND_BELOW_ONLY: c_uint = 0x0010;
/* Extension is only defined for TLS1.3 and above */
pub const SSL_EXT_TLS1_3_ONLY: c_uint = 0x0020;
/* Ignore this extension during parsing if we are resuming */
pub const SSL_EXT_IGNORE_ON_RESUMPTION: c_uint = 0x0040;
pub const SSL_EXT_CLIENT_HELLO: c_uint = 0x0080;
/* Really means TLS1.2 or below */
pub const SSL_EXT_TLS1_2_SERVER_HELLO: c_uint = 0x0100;
pub const SSL_EXT_TLS1_3_SERVER_HELLO: c_uint = 0x0200;
pub const SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS: c_uint = 0x0400;
pub const SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST: c_uint = 0x0800;
pub const SSL_EXT_TLS1_3_CERTIFICATE: c_uint = 0x1000;
pub const SSL_EXT_TLS1_3_NEW_SESSION_TICKET: c_uint = 0x2000;
pub const SSL_EXT_TLS1_3_CERTIFICATE_REQUEST: c_uint = 0x4000;
extern "C" {
pub fn SSL_CTX_set_keylog_callback(ctx: *mut ::SSL_CTX, cb: SSL_CTX_keylog_cb_func);
pub fn SSL_CTX_add_custom_ext(ctx: *mut ::SSL_CTX, ext_type: c_uint, context: c_uint,
add_cb: SSL_custom_ext_add_cb_ex,
free_cb: SSL_custom_ext_free_cb_ex,
add_arg: *mut c_void,
parse_cb: SSL_custom_ext_parse_cb_ex,
parse_arg: *mut c_void) -> c_int;
pub fn SSL_stateless(s: *mut ::SSL) -> c_int;
}

93
openssl/src/ssl/callbacks.rs
View File

@ -1,5 +1,7 @@
use ffi;
use libc::{c_char, c_int, c_uchar, c_uint, c_void};
#[cfg(all(feature = "v111", ossl111))]
use libc::size_t;
use std::ffi::CStr;
use std::ptr;
use std::slice;
@ -20,6 +22,10 @@ use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslContext
all(feature = "v111", ossl111)))]
use ssl::AlpnError;
use x509::X509StoreContextRef;
#[cfg(all(feature = "v111", ossl111))]
use ssl::ExtensionContext;
#[cfg(all(feature = "v111", ossl111))]
use x509::X509Ref;
pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int
where
@ -416,3 +422,90 @@ where
callback(ssl, slice) as c_int
}
}
#[cfg(all(feature = "v111", ossl111))]
pub struct CustomExtAddState<T>(Option<T>);
#[cfg(all(feature = "v111", ossl111))]
pub extern "C" fn raw_custom_ext_add<F, T>(ssl: *mut ffi::SSL, _: c_uint,
context: c_uint,
out: *mut *const c_uchar,
outlen: *mut size_t, x: *mut ffi::X509,
chainidx: size_t, al: *mut c_int,
_: *mut c_void)
-> c_int
where F: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<T>, SslAlert> + 'static,
T: AsRef<[u8]> + 'static,
{
unsafe {
let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
let callback = &*(callback as *mut F);
let ssl = SslRef::from_ptr_mut(ssl);
let ectx = ExtensionContext::from_bits_truncate(context);
let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None };
match (callback)(ssl, ectx, cert) {
Ok(None) => 0,
Ok(Some(buf)) => {
*outlen = buf.as_ref().len() as size_t;
*out = buf.as_ref().as_ptr();
let idx = get_ssl_callback_idx::<CustomExtAddState<T>>();
let ptr = ffi::SSL_get_ex_data(ssl.as_ptr(), idx);
if ptr.is_null() {
let x = Box::into_raw(Box::<CustomExtAddState<T>>::new(CustomExtAddState(Some(buf)))) as *mut c_void;
ffi::SSL_set_ex_data(ssl.as_ptr(), idx, x);
} else {
*(ptr as *mut _) = CustomExtAddState(Some(buf))
}
1
}
Err(alert) => {
*al = alert.0;
-1
}
}
}
}
#[cfg(all(feature = "v111", ossl111))]
pub extern "C" fn raw_custom_ext_free<T>(ssl: *mut ffi::SSL, _: c_uint,
_: c_uint,
_: *mut *const c_uchar,
_: *mut c_void)
where T: 'static
{
unsafe {
let state = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<CustomExtAddState<T>>());
let state = &mut (*(state as *mut CustomExtAddState<T>)).0;
state.take();
}
}
#[cfg(all(feature = "v111", ossl111))]
pub extern "C" fn raw_custom_ext_parse<F>(ssl: *mut ffi::SSL, _: c_uint,
context: c_uint,
input: *const c_uchar,
inlen: size_t, x: *mut ffi::X509,
chainidx: size_t, al: *mut c_int,
_: *mut c_void)
-> c_int
where F: FnMut(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static
{
unsafe {
let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
let ssl = SslRef::from_ptr_mut(ssl);
let callback = &mut *(callback as *mut F);
let ectx = ExtensionContext::from_bits_truncate(context);
let slice = slice::from_raw_parts(input as *const u8, inlen as usize);
let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None };
match callback(ssl, ectx, slice, cert) {
Ok(()) => 1,
Err(alert) => {
*al = alert.0;
0
}
}
}
}

76
openssl/src/ssl/mod.rs
View File

@ -366,6 +366,36 @@ bitflags! {
}
}
#[cfg(all(feature = "v111", ossl111))]
bitflags! {
/// Which messages and under which conditions an extension should be added or expected.
pub struct ExtensionContext: c_uint {
/// This extension is only allowed in TLS
const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY;
/// This extension is only allowed in DTLS
const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY;
/// Some extensions may be allowed in DTLS but we don't implement them for it
const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY;
/// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is
const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED;
/// Extension is only defined for TLS1.2 and below
const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY;
/// Extension is only defined for TLS1.3 and above
const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY;
/// Ignore this extension during parsing if we are resuming
const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION;
const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO;
/// Really means TLS1.2 or below
const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO;
const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO;
const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST;
const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE;
const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST;
}
}
/// An identifier of the format of a certificate or key file.
#[derive(Copy, Clone)]
pub struct SslFiletype(c_int);
@ -504,6 +534,8 @@ pub struct SslAlert(c_int);
impl SslAlert {
/// Alert 112 - `unrecognized_name`.
pub const UNRECOGNIZED_NAME: SslAlert = SslAlert(ffi::SSL_AD_UNRECOGNIZED_NAME);
pub const ILLEGAL_PARAMETER: SslAlert = SslAlert(ffi::SSL_AD_ILLEGAL_PARAMETER);
pub const DECODE_ERROR: SslAlert = SslAlert(ffi::SSL_AD_DECODE_ERROR);
}
/// An error returned from an ALPN selection callback.
@ -1474,6 +1506,50 @@ impl SslContextBuilder {
}
}
/// Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions.
///
/// This corresponds to [`SSL_CTX_add_custom_ext`].
///
/// [`SSL_CTX_add_custom_ext`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html
#[cfg(all(feature = "v111", ossl111))]
pub fn add_custom_ext<AddFn, ParseFn, T>(
&mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn
) -> Result<(), ErrorStack>
where AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>)
-> Result<Option<T>, SslAlert> + 'static + Sync + Send,
T: AsRef<[u8]> + 'static,
ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>)
-> Result<(), SslAlert> + 'static + Sync + Send,
{
let ret = unsafe {
let add_cb = Box::new(add_cb);
ffi::SSL_CTX_set_ex_data(
self.as_ptr(),
get_callback_idx::<AddFn>(),
Box::into_raw(add_cb) as *mut _
);
let parse_cb = Box::new(parse_cb);
ffi::SSL_CTX_set_ex_data(
self.as_ptr(),
get_callback_idx::<ParseFn>(),
Box::into_raw(parse_cb) as *mut _,
);
ffi::SSL_CTX_add_custom_ext(self.as_ptr(), ext_type as c_uint, context.bits(),
Some(raw_custom_ext_add::<AddFn, T>),
Some(raw_custom_ext_free::<T>),
ptr::null_mut(),
Some(raw_custom_ext_parse::<ParseFn>),
ptr::null_mut())
};
if ret == 1 {
Ok(())
} else {
Err(ErrorStack::get())
}
}
/// Consumes the builder, returning a new `SslContext`.
pub fn build(self) -> SslContext {
self.0

38
openssl/src/ssl/test.rs
View File

@ -1353,6 +1353,44 @@ fn no_version_overlap() {
guard.join().unwrap();
}
#[test]
#[cfg(all(feature = "v111", ossl111))]
fn custom_extensions() {
static FOUND_EXTENSION: AtomicBool = ATOMIC_BOOL_INIT;
let listener = TcpListener::bind("127.0.0.1:0").unwrap();
let addr = listener.local_addr().unwrap();
let guard = thread::spawn(move || {
let stream = listener.accept().unwrap().0;
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
ctx.set_certificate_file(&Path::new("test/cert.pem"), SslFiletype::PEM)
.unwrap();
ctx.set_private_key_file(&Path::new("test/key.pem"), SslFiletype::PEM)
.unwrap();
ctx.add_custom_ext(
12345, ssl::ExtensionContext::CLIENT_HELLO,
|_, _, _| -> Result<Option<&'static [u8]>, _> { unreachable!() },
|_, _, data, _| { FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); Ok(()) }
).unwrap();
let ssl = Ssl::new(&ctx.build()).unwrap();
ssl.accept(stream).unwrap();
});
let stream = TcpStream::connect(addr).unwrap();
let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
ctx.add_custom_ext(
12345, ssl::ExtensionContext::CLIENT_HELLO,
|_, _, _| Ok(Some(b"hello")),
|_, _, _, _| unreachable!()
).unwrap();
let ssl = Ssl::new(&ctx.build()).unwrap();
ssl.connect(stream).unwrap();
guard.join().unwrap();
assert!(FOUND_EXTENSION.load(Ordering::SeqCst));
}
fn _check_kinds() {
fn is_send<T: Send>() {}
fn is_sync<T: Sync>() {}

2
systest/build.rs
View File

@ -109,7 +109,7 @@ fn main() {
cfg.skip_signededness(|s| {
s.ends_with("_cb") || s.ends_with("_CB") || s.ends_with("_cb_fn")
|| s.starts_with("CRYPTO_") || s == "PasswordCallback"
|| s.ends_with("_cb_func")
|| s.ends_with("_cb_func") || s.ends_with("_cb_ex")
});
cfg.field_name(|_s, field| {
if field == "type_" {