Merge pull request #503 from sfackler/ecdhe

ECDHE support

openssl-sys/src/lib.rs

@@ -24,6 +24,7 @@ pub enum ASN1_TYPE {}
 pub enum BN_CTX {}
 pub enum BN_GENCB {}
 pub enum COMP_METHOD {}
+pub enum EC_KEY {}
 pub enum ENGINE {}
 pub enum EVP_CIPHER_CTX {}
 pub enum EVP_MD {}
@@ -1042,6 +1043,7 @@ pub const RSA_PKCS1_OAEP_PADDING: c_int = 4;
 pub const RSA_X931_PADDING: c_int = 5;
 
 pub const SSL_CTRL_SET_TMP_DH: c_int = 3;
+pub const SSL_CTRL_SET_TMP_ECDH: c_int = 4;
 pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14;
 pub const SSL_CTRL_MODE: c_int = 33;
 pub const SSL_CTRL_SET_READ_AHEAD: c_int = 41;
@@ -1213,6 +1215,10 @@ pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long {
     SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void)
 }
 
+pub unsafe fn SSL_CTX_set_tmp_ecdh(ctx: *mut SSL_CTX, key: *mut EC_KEY) -> c_long {
+    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, key as *mut c_void)
+}
+
 pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long {
     SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)
 }
@@ -1341,8 +1347,10 @@ extern {
     #[cfg(not(ossl101))]
     pub fn DH_get_2048_256() -> *mut DH;
 
-    pub fn ERR_get_error() -> c_ulong;
+    pub fn EC_KEY_new_by_curve_name(nid: c_int) -> *mut EC_KEY;
+    pub fn EC_KEY_free(key: *mut EC_KEY);
 
+    pub fn ERR_get_error() -> c_ulong;
     pub fn ERR_lib_error_string(err: c_ulong) -> *const c_char;
     pub fn ERR_func_error_string(err: c_ulong) -> *const c_char;
     pub fn ERR_reason_error_string(err: c_ulong) -> *const c_char;

openssl/src/dh.rs

@@ -2,10 +2,24 @@ use ffi;
 use error::ErrorStack;
 use bio::MemBioSlice;
 use std::ptr;
+use std::mem;
+use std::ops::Deref;
 
 use {cvt, cvt_p};
 use bn::BigNum;
-use std::mem;
+use opaque::Opaque;
+
+pub struct DhRef(Opaque);
+
+impl DhRef {
+    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::DH) -> &'a DhRef {
+        &*(ptr as *mut _)
+    }
+
+    pub fn as_ptr(&self) -> *mut ffi::DH {
+        self as *const _ as *mut _
+    }
+}
 
 pub struct Dh(*mut ffi::DH);
 
@@ -56,16 +70,22 @@ impl Dh {
             cvt_p(ffi::DH_get_2048_256()).map(Dh)
         }
     }
-
-    pub fn as_ptr(&self) -> *mut ffi::DH {
-        self.0
-    }
 }
 
 impl Drop for Dh {
     fn drop(&mut self) {
         unsafe {
-            ffi::DH_free(self.as_ptr())
+            ffi::DH_free(self.0)
+        }
+    }
+}
+
+impl Deref for Dh {
+    type Target = DhRef;
+
+    fn deref(&self) -> &DhRef {
+        unsafe {
+            DhRef::from_ptr(self.0)
         }
     }
 }

openssl/src/ec_key.rs

@@ -0,0 +1,62 @@
+use ffi;
+use std::ops::Deref;
+
+use cvt_p;
+use error::ErrorStack;
+use nid::Nid;
+use opaque::Opaque;
+
+pub struct EcKeyRef(Opaque);
+
+impl EcKeyRef {
+    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::EC_KEY) -> &'a EcKeyRef {
+        &*(ptr as *mut _)
+    }
+
+    pub fn as_ptr(&self) -> *mut ffi::EC_KEY {
+        self as *const _ as *mut _
+    }
+}
+
+pub struct EcKey(*mut ffi::EC_KEY);
+
+impl Drop for EcKey {
+    fn drop(&mut self) {
+        unsafe {
+            ffi::EC_KEY_free(self.0);
+        }
+    }
+}
+
+impl EcKey {
+    pub fn new_by_curve_name(nid: Nid) -> Result<EcKey, ErrorStack> {
+        unsafe {
+            cvt_p(ffi::EC_KEY_new_by_curve_name(nid.as_raw())).map(EcKey)
+        }
+    }
+
+    pub unsafe fn from_ptr(ptr: *mut ffi::EC_KEY) -> EcKey {
+        EcKey(ptr)
+    }
+}
+
+impl Deref for EcKey {
+    type Target = EcKeyRef;
+
+    fn deref(&self) -> &EcKeyRef {
+        unsafe {
+            EcKeyRef::from_ptr(self.0)
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use nid;
+    use super::*;
+
+    #[test]
+    fn new_by_curve_name() {
+        EcKey::new_by_curve_name(nid::X9_62_PRIME256V1).unwrap();
+    }
+}

openssl/src/lib.rs

@@ -28,6 +28,7 @@ pub mod bn;
 pub mod crypto;
 pub mod dh;
 pub mod dsa;
+pub mod ec_key;
 pub mod error;
 pub mod hash;
 pub mod memcmp;

openssl/src/ssl/connector.rs

@@ -126,9 +126,11 @@ impl ServerConnectorBuilder {
               I::Item: AsRef<X509Ref>
     {
         let mut ctx = try!(ctx(method));
-        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
+            ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
+        try!(setup_curves(&mut ctx));
         try!(ctx.set_cipher_list(
             "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
              ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
@@ -165,6 +167,22 @@ impl ServerConnectorBuilder {
     }
 }
 
+#[cfg(ossl101)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
+    ctx.set_tmp_ecdh(&curve)
+}
+
+#[cfg(ossl102)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    ctx._set_ecdh_auto(true)
+}
+
+#[cfg(ossl110)]
+fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    Ok(())
+}
+
 /// A type which wraps server-side streams in a TLS session.
 ///
 /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL

openssl/src/ssl/mod.rs

@@ -89,7 +89,8 @@ use std::marker::PhantomData;
 use ffi;
 
 use {init, cvt, cvt_p};
-use dh::Dh;
+use dh::DhRef;
+use ec_key::EcKeyRef;
 use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError};
 #[cfg(any(ossl102, ossl110))]
 use verify::X509VerifyParamRef;
@@ -498,12 +499,18 @@ impl SslContextBuilder {
         }
     }
 
-    pub fn set_tmp_dh(&mut self, dh: &Dh) -> Result<(), ErrorStack> {
+    pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
         unsafe {
             cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ())
         }
     }
 
+    pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ())
+        }
+    }
+
     /// Use the default locations of trusted certificates for verification.
     ///
     /// These locations are read from the `SSL_CERT_FILE` and `SSL_CERT_DIR`
@@ -623,6 +630,11 @@ impl SslContextBuilder {
     /// Requires the `v102` feature and OpenSSL 1.0.2.
     #[cfg(all(feature = "v102", ossl102))]
     pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
+        self._set_ecdh_auto(onoff)
+    }
+
+    #[cfg(ossl102)]
+    fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
         unsafe {
             cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ())
         }