From 0fb1e55a986a92c0649e90946e358c229d4af997 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Sat, 16 Nov 2019 10:36:29 -0800 Subject: [PATCH] Allow configuration of EC groups and signature algorithms Closes #1186 --- openssl-sys/src/ssl.rs | 24 ++++++++++++++++++++++++ openssl/src/ssl/mod.rs | 40 ++++++++++++++++++++++++++++++++-------- 2 files changed, 56 insertions(+), 8 deletions(-) diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs index 0cad5aac..e09f35df 100644 --- a/openssl-sys/src/ssl.rs +++ b/openssl-sys/src/ssl.rs @@ -711,9 +711,13 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71; #[cfg(any(libressl, all(ossl101, not(ossl110))))] pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82; +#[cfg(ossl111)] +pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92; #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94; #[cfg(ossl102)] +pub const SSL_CTRL_SET_SIGALGS_LIST: c_int = 98; +#[cfg(ossl102)] pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106; #[cfg(ossl110)] pub const SSL_CTRL_SET_MIN_PROTO_VERSION: c_int = 123; @@ -756,6 +760,26 @@ pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_ST SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void) } +#[cfg(ossl111)] +pub unsafe fn SSL_CTX_set1_groups_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { + SSL_CTX_ctrl( + ctx, + SSL_CTRL_SET_GROUPS_LIST, + 0, + s as *const c_void as *mut c_void, + ) +} + +#[cfg(ossl102)] +pub unsafe fn SSL_CTX_set1_sigalgs_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long { + SSL_CTX_ctrl( + ctx, + SSL_CTRL_SET_SIGALGS_LIST, + 0, + s as *const c_void as *mut c_void, + ) +} + #[cfg(any(libressl, all(ossl102, not(ossl110))))] pub unsafe fn SSL_CTX_set_ecdh_auto(ctx: *mut SSL_CTX, onoff: c_int) -> c_int { SSL_CTX_ctrl( diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d2409163..ad3b9202 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -486,7 +486,6 @@ impl NameType { lazy_static! { static ref INDEXES: Mutex> = Mutex::new(HashMap::new()); static ref SSL_INDEXES: Mutex> = Mutex::new(HashMap::new()); - static ref SESSION_CTX_INDEX: Index = Ssl::new_ex_index().unwrap(); } @@ -880,13 +879,7 @@ impl SslContextBuilder { /// [`SSL_CTX_add_client_CA`]: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_client_CA_list.html #[cfg(not(libressl))] pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::SSL_CTX_add_client_CA( - self.as_ptr(), - cacert.as_ptr() - )) - .map(|_| ()) - } + unsafe { cvt(ffi::SSL_CTX_add_client_CA(self.as_ptr(), cacert.as_ptr())).map(|_| ()) } } /// Set the context identifier for sessions. @@ -1705,6 +1698,37 @@ impl SslContextBuilder { unsafe { ffi::SSL_CTX_sess_set_cache_size(self.as_ptr(), size.into()).into() } } + /// Sets the context's supported signature algorithms. + /// + /// This corresponds to [`SSL_CTX_set1_sigalgs_list`]. + /// + /// Requires OpenSSL 1.0.2 or newer. + /// + /// [`SSL_CTX_set1_sigalgs_list`]: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html + #[cfg(ossl102)] + pub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack> { + let sigalgs = CString::new(sigalgs).unwrap(); + unsafe { + cvt(ffi::SSL_CTX_set1_sigalgs_list(self.as_ptr(), sigalgs.as_ptr()) as c_int) + .map(|_| ()) + } + } + + /// Sets the context's supported elliptic curve groups. + /// + /// This corresponds to [`SSL_CTX_set1_groups_list`]. + /// + /// Requires OpenSSL 1.1.1 or newer. + /// + /// [`SSL_CTX_set1_groups_list`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html + #[cfg(ossl111)] + pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack> { + let groups = CString::new(groups).unwrap(); + unsafe { + cvt(ffi::SSL_CTX_set1_groups_list(self.as_ptr(), groups.as_ptr()) as c_int).map(|_| ()) + } + } + /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0