Allow configuration of EC groups and signature algorithms

Closes #1186

openssl-sys/src/ssl.rs

@@ -711,9 +711,13 @@ pub const SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: c_int = 71;
 #[cfg(any(libressl, all(ossl101, not(ossl110))))]
 pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77;
 pub const SSL_CTRL_GET_EXTRA_CHAIN_CERTS: c_int = 82;
+#[cfg(ossl111)]
+pub const SSL_CTRL_SET_GROUPS_LIST: c_int = 92;
 #[cfg(any(libressl, all(ossl102, not(ossl110))))]
 pub const SSL_CTRL_SET_ECDH_AUTO: c_int = 94;
 #[cfg(ossl102)]
+pub const SSL_CTRL_SET_SIGALGS_LIST: c_int = 98;
+#[cfg(ossl102)]
 pub const SSL_CTRL_SET_VERIFY_CERT_STORE: c_int = 106;
 #[cfg(ossl110)]
 pub const SSL_CTRL_SET_MIN_PROTO_VERSION: c_int = 123;
@@ -756,6 +760,26 @@ pub unsafe fn SSL_CTX_set0_verify_cert_store(ctx: *mut SSL_CTX, st: *mut X509_ST
     SSL_CTX_ctrl(ctx, SSL_CTRL_SET_VERIFY_CERT_STORE, 0, st as *mut c_void)
 }
 
+#[cfg(ossl111)]
+pub unsafe fn SSL_CTX_set1_groups_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long {
+    SSL_CTX_ctrl(
+        ctx,
+        SSL_CTRL_SET_GROUPS_LIST,
+        0,
+        s as *const c_void as *mut c_void,
+    )
+}
+
+#[cfg(ossl102)]
+pub unsafe fn SSL_CTX_set1_sigalgs_list(ctx: *mut SSL_CTX, s: *const c_char) -> c_long {
+    SSL_CTX_ctrl(
+        ctx,
+        SSL_CTRL_SET_SIGALGS_LIST,
+        0,
+        s as *const c_void as *mut c_void,
+    )
+}
+
 #[cfg(any(libressl, all(ossl102, not(ossl110))))]
 pub unsafe fn SSL_CTX_set_ecdh_auto(ctx: *mut SSL_CTX, onoff: c_int) -> c_int {
     SSL_CTX_ctrl(

openssl/src/ssl/mod.rs

@@ -486,7 +486,6 @@ impl NameType {
 lazy_static! {
     static ref INDEXES: Mutex<HashMap<TypeId, c_int>> = Mutex::new(HashMap::new());
     static ref SSL_INDEXES: Mutex<HashMap<TypeId, c_int>> = Mutex::new(HashMap::new());
-
     static ref SESSION_CTX_INDEX: Index<Ssl, SslContext> = Ssl::new_ex_index().unwrap();
 }
 
@@ -880,13 +879,7 @@ impl SslContextBuilder {
     /// [`SSL_CTX_add_client_CA`]: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_client_CA_list.html
     #[cfg(not(libressl))]
     pub fn add_client_ca(&mut self, cacert: &X509Ref) -> Result<(), ErrorStack> {
-        unsafe {
+        unsafe { cvt(ffi::SSL_CTX_add_client_CA(self.as_ptr(), cacert.as_ptr())).map(|_| ()) }
-            cvt(ffi::SSL_CTX_add_client_CA(
-                self.as_ptr(),
-                cacert.as_ptr()
-            ))
-            .map(|_| ())
-        }
     }
 
     /// Set the context identifier for sessions.
@@ -1705,6 +1698,37 @@ impl SslContextBuilder {
         unsafe { ffi::SSL_CTX_sess_set_cache_size(self.as_ptr(), size.into()).into() }
     }
 
+    /// Sets the context's supported signature algorithms.
+    ///
+    /// This corresponds to [`SSL_CTX_set1_sigalgs_list`].
+    ///
+    /// Requires OpenSSL 1.0.2 or newer.
+    ///
+    /// [`SSL_CTX_set1_sigalgs_list`]: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html
+    #[cfg(ossl102)]
+    pub fn set_sigalgs_list(&mut self, sigalgs: &str) -> Result<(), ErrorStack> {
+        let sigalgs = CString::new(sigalgs).unwrap();
+        unsafe {
+            cvt(ffi::SSL_CTX_set1_sigalgs_list(self.as_ptr(), sigalgs.as_ptr()) as c_int)
+                .map(|_| ())
+        }
+    }
+
+    /// Sets the context's supported elliptic curve groups.
+    ///
+    /// This corresponds to [`SSL_CTX_set1_groups_list`].
+    ///
+    /// Requires OpenSSL 1.1.1 or newer.
+    ///
+    /// [`SSL_CTX_set1_groups_list`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html
+    #[cfg(ossl111)]
+    pub fn set_groups_list(&mut self, groups: &str) -> Result<(), ErrorStack> {
+        let groups = CString::new(groups).unwrap();
+        unsafe {
+            cvt(ffi::SSL_CTX_set1_groups_list(self.as_ptr(), groups.as_ptr()) as c_int).map(|_| ())
+        }
+    }
+
     /// Consumes the builder, returning a new `SslContext`.
     pub fn build(self) -> SslContext {
         self.0