Merge pull request #503 from sfackler/ecdhe

ECDHE support
2016-10-30 14:16:17 -07:00 · 2016-10-30 14:16:17 -07:00 · 33cce627da
parent eb735f519a ee79db61c2
commit 33cce627da
6 changed files with 131 additions and 10 deletions
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@ -24,6 +24,7 @@ pub enum ASN1_TYPE {}
 pub enum BN_CTX {}
 pub enum BN_GENCB {}
 pub enum COMP_METHOD {}
+pub enum EC_KEY {}
 pub enum ENGINE {}
 pub enum EVP_CIPHER_CTX {}
 pub enum EVP_MD {}
@ -1042,6 +1043,7 @@ pub const RSA_PKCS1_OAEP_PADDING: c_int = 4;
 pub const RSA_X931_PADDING: c_int = 5;

 pub const SSL_CTRL_SET_TMP_DH: c_int = 3;
+pub const SSL_CTRL_SET_TMP_ECDH: c_int = 4;
 pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14;
 pub const SSL_CTRL_MODE: c_int = 33;
 pub const SSL_CTRL_SET_READ_AHEAD: c_int = 41;
@ -1213,6 +1215,10 @@ pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long {
    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void)
 }

+pub unsafe fn SSL_CTX_set_tmp_ecdh(ctx: *mut SSL_CTX, key: *mut EC_KEY) -> c_long {
+    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, key as *mut c_void)
+}
+
 pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long {
    SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)
 }
@ -1341,8 +1347,10 @@ extern {
    #[cfg(not(ossl101))]
    pub fn DH_get_2048_256() -> *mut DH;

-    pub fn ERR_get_error() -> c_ulong;
+    pub fn EC_KEY_new_by_curve_name(nid: c_int) -> *mut EC_KEY;
+    pub fn EC_KEY_free(key: *mut EC_KEY);

+    pub fn ERR_get_error() -> c_ulong;
    pub fn ERR_lib_error_string(err: c_ulong) -> *const c_char;
    pub fn ERR_func_error_string(err: c_ulong) -> *const c_char;
    pub fn ERR_reason_error_string(err: c_ulong) -> *const c_char;
--- a/openssl/src/dh.rs
+++ b/openssl/src/dh.rs
@ -2,10 +2,24 @@ use ffi;
 use error::ErrorStack;
 use bio::MemBioSlice;
 use std::ptr;
+use std::mem;
+use std::ops::Deref;

 use {cvt, cvt_p};
 use bn::BigNum;
-use std::mem;
+use opaque::Opaque;
+
+pub struct DhRef(Opaque);
+
+impl DhRef {
+    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::DH) -> &'a DhRef {
+        &*(ptr as *mut _)
+    }
+
+    pub fn as_ptr(&self) -> *mut ffi::DH {
+        self as *const _ as *mut _
+    }
+}

 pub struct Dh(*mut ffi::DH);

@ -56,16 +70,22 @@ impl Dh {
            cvt_p(ffi::DH_get_2048_256()).map(Dh)
        }
    }
-
-    pub fn as_ptr(&self) -> *mut ffi::DH {
-        self.0
-    }
 }

 impl Drop for Dh {
    fn drop(&mut self) {
        unsafe {
-            ffi::DH_free(self.as_ptr())
+            ffi::DH_free(self.0)
+        }
+    }
+}
+
+impl Deref for Dh {
+    type Target = DhRef;
+
+    fn deref(&self) -> &DhRef {
+        unsafe {
+            DhRef::from_ptr(self.0)
        }
    }
 }
--- a/openssl/src/ec_key.rs
+++ b/openssl/src/ec_key.rs
@ -0,0 +1,62 @@
+use ffi;
+use std::ops::Deref;
+
+use cvt_p;
+use error::ErrorStack;
+use nid::Nid;
+use opaque::Opaque;
+
+pub struct EcKeyRef(Opaque);
+
+impl EcKeyRef {
+    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::EC_KEY) -> &'a EcKeyRef {
+        &*(ptr as *mut _)
+    }
+
+    pub fn as_ptr(&self) -> *mut ffi::EC_KEY {
+        self as *const _ as *mut _
+    }
+}
+
+pub struct EcKey(*mut ffi::EC_KEY);
+
+impl Drop for EcKey {
+    fn drop(&mut self) {
+        unsafe {
+            ffi::EC_KEY_free(self.0);
+        }
+    }
+}
+
+impl EcKey {
+    pub fn new_by_curve_name(nid: Nid) -> Result<EcKey, ErrorStack> {
+        unsafe {
+            cvt_p(ffi::EC_KEY_new_by_curve_name(nid.as_raw())).map(EcKey)
+        }
+    }
+
+    pub unsafe fn from_ptr(ptr: *mut ffi::EC_KEY) -> EcKey {
+        EcKey(ptr)
+    }
+}
+
+impl Deref for EcKey {
+    type Target = EcKeyRef;
+
+    fn deref(&self) -> &EcKeyRef {
+        unsafe {
+            EcKeyRef::from_ptr(self.0)
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use nid;
+    use super::*;
+
+    #[test]
+    fn new_by_curve_name() {
+        EcKey::new_by_curve_name(nid::X9_62_PRIME256V1).unwrap();
+    }
+}
--- a/openssl/src/lib.rs
+++ b/openssl/src/lib.rs
@ -28,6 +28,7 @@ pub mod bn;
 pub mod crypto;
 pub mod dh;
 pub mod dsa;
+pub mod ec_key;
 pub mod error;
 pub mod hash;
 pub mod memcmp;
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@ -126,9 +126,11 @@ impl ServerConnectorBuilder {
              I::Item: AsRef<X509Ref>
    {
        let mut ctx = try!(ctx(method));
-        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
+        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |
+            ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
        let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
        try!(ctx.set_tmp_dh(&dh));
+        try!(setup_curves(&mut ctx));
        try!(ctx.set_cipher_list(
            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
@ -165,6 +167,22 @@ impl ServerConnectorBuilder {
    }
 }

+#[cfg(ossl101)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
+    ctx.set_tmp_ecdh(&curve)
+}
+
+#[cfg(ossl102)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    ctx._set_ecdh_auto(true)
+}
+
+#[cfg(ossl110)]
+fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    Ok(())
+}
+
 /// A type which wraps server-side streams in a TLS session.
 ///
 /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -89,7 +89,8 @@ use std::marker::PhantomData;
 use ffi;

 use {init, cvt, cvt_p};
-use dh::Dh;
+use dh::DhRef;
+use ec_key::EcKeyRef;
 use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError};
 #[cfg(any(ossl102, ossl110))]
 use verify::X509VerifyParamRef;
@ -498,12 +499,18 @@ impl SslContextBuilder {
        }
    }

-    pub fn set_tmp_dh(&mut self, dh: &Dh) -> Result<(), ErrorStack> {
+    pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
        unsafe {
            cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ())
        }
    }

+    pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ())
+        }
+    }
+
    /// Use the default locations of trusted certificates for verification.
    ///
    /// These locations are read from the `SSL_CERT_FILE` and `SSL_CERT_DIR`
@ -623,6 +630,11 @@ impl SslContextBuilder {
    /// Requires the `v102` feature and OpenSSL 1.0.2.
    #[cfg(all(feature = "v102", ossl102))]
    pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
+        self._set_ecdh_auto(onoff)
+    }
+
+    #[cfg(ossl102)]
+    fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
        unsafe {
            cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ())
        }