min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Expose SSL_MODEs

This commit is contained in:
Steven Fackler 2016-10-30 22:02:26 -07:00
parent e0211dac30
commit 558124b755
6 changed files with 72 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
openssl-sys/src/lib.rs
View File

@ -1051,8 +1051,14 @@ pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: c_int = 53;
pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: c_int = 54; pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: c_int = 54;
pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55; pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55;
pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 2; pub const SSL_MODE_ENABLE_PARTIAL_WRITE: c_long = 0x1;
pub const SSL_MODE_AUTO_RETRY: c_long = 4; pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 0x2;
pub const SSL_MODE_AUTO_RETRY: c_long = 0x4;
pub const SSL_MODE_NO_AUTO_CHAIN: c_long = 0x8;
pub const SSL_MODE_RELEASE_BUFFERS: c_long = 0x10;
pub const SSL_MODE_SEND_CLIENTHELLO_TIME: c_long = 0x20;
pub const SSL_MODE_SEND_SERVERHELLO_TIME: c_long = 0x40;
pub const SSL_MODE_SEND_FALLBACK_SCSV: c_long = 0x80;
pub const SSL_ERROR_NONE: c_int = 0; pub const SSL_ERROR_NONE: c_int = 0;
pub const SSL_ERROR_SSL: c_int = 1; pub const SSL_ERROR_SSL: c_int = 1;

5
openssl/src/dh.rs
View File

@ -27,10 +27,7 @@ impl Dh {
pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> { pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> {
unsafe { unsafe {
let dh = Dh(try!(cvt_p(ffi::DH_new()))); let dh = Dh(try!(cvt_p(ffi::DH_new())));
try!(cvt(compat::DH_set0_pqg(dh.0, try!(cvt(compat::DH_set0_pqg(dh.0, p.as_ptr(), q.as_ptr(), g.as_ptr())));
p.as_ptr(),
q.as_ptr(),
g.as_ptr())));
mem::forget((p, g, q)); mem::forget((p, g, q));
Ok(dh) Ok(dh)
} }

4
openssl/src/hash.rs
View File

@ -135,9 +135,7 @@ impl Hasher {
try!(self.init()); try!(self.init());
} }
unsafe { unsafe {
try!(cvt(ffi::EVP_DigestUpdate(self.ctx, try!(cvt(ffi::EVP_DigestUpdate(self.ctx, data.as_ptr() as *mut _, data.len())));
data.as_ptr() as *mut _,
data.len())));
} }
self.state = Updated; self.state = Updated;
Ok(()) Ok(())

46
openssl/src/ssl/connector.rs
View File

@ -39,6 +39,10 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE; opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
ctx.set_options(opts); ctx.set_options(opts);
let mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
ctx.set_mode(mode);
Ok(ctx) Ok(ctx)
} }
@ -53,9 +57,9 @@ impl SslConnectorBuilder {
let mut ctx = try!(ctx(method)); let mut ctx = try!(ctx(method));
try!(ctx.set_default_verify_paths()); try!(ctx.set_default_verify_paths());
// From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191 // From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
try!(ctx.set_cipher_list( try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\
"ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\ DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\
DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES")); RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
Ok(SslConnectorBuilder(ctx)) Ok(SslConnectorBuilder(ctx))
} }
@ -123,17 +127,20 @@ impl SslAcceptorBuilder {
let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes())); let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
try!(ctx.set_tmp_dh(&dh)); try!(ctx.set_tmp_dh(&dh));
try!(setup_curves(&mut ctx)); try!(setup_curves(&mut ctx));
try!(ctx.set_cipher_list( try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\ ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\ ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\ ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:\ ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:\
DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\ DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\ DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:\
AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS")); ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:\
DES-CBC3-SHA:!DSS"));
SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain) SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
} }
@ -153,12 +160,11 @@ impl SslAcceptorBuilder {
{ {
let mut ctx = try!(ctx(method)); let mut ctx = try!(ctx(method));
try!(setup_curves(&mut ctx)); try!(setup_curves(&mut ctx));
try!(ctx.set_cipher_list( try!(ctx.set_cipher_list("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\ ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"));
ECDHE-RSA-AES128-SHA256"));
SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain) SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
} }

49
openssl/src/ssl/mod.rs
View File

@ -108,12 +108,11 @@ mod tests;
use self::bio::BioMethod; use self::bio::BioMethod;
pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor};
SslAcceptor};
pub use ssl::error::{Error, HandshakeError}; pub use ssl::error::{Error, HandshakeError};
bitflags! { bitflags! {
pub flags SslOptions: c_ulong { pub flags SslOption: c_ulong {
const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG, const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG,
const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG, const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG,
const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
@ -154,6 +153,19 @@ bitflags! {
} }
} }
bitflags! {
pub flags SslMode: c_long {
const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE,
const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,
const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY,
const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN,
const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS,
const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME,
const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME,
const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV,
}
}
#[derive(Copy, Clone)] #[derive(Copy, Clone)]
pub struct SslMethod(*const ffi::SSL_METHOD); pub struct SslMethod(*const ffi::SSL_METHOD);
@ -426,16 +438,12 @@ impl Drop for SslContextBuilder {
impl SslContextBuilder { impl SslContextBuilder {
pub fn new(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { pub fn new(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
init(); unsafe {
init();
let mut ctx = unsafe {
let ctx = try!(cvt_p(ffi::SSL_CTX_new(method.as_ptr()))); let ctx = try!(cvt_p(ffi::SSL_CTX_new(method.as_ptr())));
SslContextBuilder::from_ptr(ctx)
};
try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY | ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)); Ok(SslContextBuilder::from_ptr(ctx))
}
Ok(ctx)
} }
pub unsafe fn from_ptr(ctx: *mut ffi::SSL_CTX) -> SslContextBuilder { pub unsafe fn from_ptr(ctx: *mut ffi::SSL_CTX) -> SslContextBuilder {
@ -498,8 +506,11 @@ impl SslContextBuilder {
} }
} }
fn set_mode(&mut self, mode: c_long) -> Result<(), ErrorStack> { pub fn set_mode(&mut self, mode: SslMode) -> SslMode {
unsafe { cvt(ffi::SSL_CTX_set_mode(self.as_ptr(), mode) as c_int).map(|_| ()) } unsafe {
let mode = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits());
SslMode::from_bits(mode).unwrap()
}
} }
pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> { pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
@ -630,19 +641,19 @@ impl SslContextBuilder {
unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) } unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
} }
pub fn set_options(&mut self, option: SslOptions) -> SslOptions { pub fn set_options(&mut self, option: SslOption) -> SslOption {
let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) }; let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
SslOptions::from_bits(ret).unwrap() SslOption::from_bits(ret).unwrap()
} }
pub fn options(&self) -> SslOptions { pub fn options(&self) -> SslOption {
let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) }; let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
SslOptions::from_bits(ret).unwrap() SslOption::from_bits(ret).unwrap()
} }
pub fn clear_options(&mut self, option: SslOptions) -> SslOptions { pub fn clear_options(&mut self, option: SslOption) -> SslOption {
let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) }; let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
SslOptions::from_bits(ret).unwrap() SslOption::from_bits(ret).unwrap()
} }
/// Set the protocols to be used during Next Protocol Negotiation (the protocols /// Set the protocols to be used during Next Protocol Negotiation (the protocols

14
openssl/src/ssl/tests/mod.rs
View File

@ -18,8 +18,8 @@ use hash::MessageDigest;
use ssl; use ssl;
use ssl::SSL_VERIFY_PEER; use ssl::SSL_VERIFY_PEER;
use ssl::{SslMethod, HandshakeError}; use ssl::{SslMethod, HandshakeError};
use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder,
SslAcceptorBuilder, Error}; Error};
use x509::X509StoreContextRef; use x509::X509StoreContextRef;
use x509::X509FileType; use x509::X509FileType;
use x509::X509; use x509::X509;
@ -1115,12 +1115,10 @@ fn connector_client_server_mozilla_intermediate() {
let t = thread::spawn(move || { let t = thread::spawn(move || {
let key = PKey::private_key_from_pem(KEY).unwrap(); let key = PKey::private_key_from_pem(KEY).unwrap();
let cert = X509::from_pem(CERT).unwrap(); let cert = X509::from_pem(CERT).unwrap();
let connector = SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(), let connector =
&key, SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(), &key, &cert, None::<X509>)
&cert, .unwrap()
None::<X509>) .build();
.unwrap()
.build();
let stream = listener.accept().unwrap().0; let stream = listener.accept().unwrap().0;
let mut stream = connector.accept(stream).unwrap(); let mut stream = connector.accept(stream).unwrap();