min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Expose SSL_MODEs

This commit is contained in:
Steven Fackler 2016-10-30 22:02:26 -07:00
parent e0211dac30
commit 558124b755
6 changed files with 72 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
openssl-sys/src/lib.rs
View File

@ -1051,8 +1051,14 @@ pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: c_int = 53;
pub const SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: c_int = 54;
pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55;
pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 2;
pub const SSL_MODE_AUTO_RETRY: c_long = 4;
pub const SSL_MODE_ENABLE_PARTIAL_WRITE: c_long = 0x1;
pub const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER: c_long = 0x2;
pub const SSL_MODE_AUTO_RETRY: c_long = 0x4;
pub const SSL_MODE_NO_AUTO_CHAIN: c_long = 0x8;
pub const SSL_MODE_RELEASE_BUFFERS: c_long = 0x10;
pub const SSL_MODE_SEND_CLIENTHELLO_TIME: c_long = 0x20;
pub const SSL_MODE_SEND_SERVERHELLO_TIME: c_long = 0x40;
pub const SSL_MODE_SEND_FALLBACK_SCSV: c_long = 0x80;
pub const SSL_ERROR_NONE: c_int = 0;
pub const SSL_ERROR_SSL: c_int = 1;

5
openssl/src/dh.rs
View File

@ -27,10 +27,7 @@ impl Dh {
pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> {
unsafe {
let dh = Dh(try!(cvt_p(ffi::DH_new())));
try!(cvt(compat::DH_set0_pqg(dh.0,
p.as_ptr(),
q.as_ptr(),
g.as_ptr())));
try!(cvt(compat::DH_set0_pqg(dh.0, p.as_ptr(), q.as_ptr(), g.as_ptr())));
mem::forget((p, g, q));
Ok(dh)
}

4
openssl/src/hash.rs
View File

@ -135,9 +135,7 @@ impl Hasher {
try!(self.init());
}
unsafe {
try!(cvt(ffi::EVP_DigestUpdate(self.ctx,
data.as_ptr() as *mut _,
data.len())));
try!(cvt(ffi::EVP_DigestUpdate(self.ctx, data.as_ptr() as *mut _, data.len())));
}
self.state = Updated;
Ok(())

38
openssl/src/ssl/connector.rs
View File

@ -39,6 +39,10 @@ fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
opts |= ssl::SSL_OP_CIPHER_SERVER_PREFERENCE;
ctx.set_options(opts);
let mode = ssl::SSL_MODE_AUTO_RETRY | ssl::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
ssl::SSL_MODE_ENABLE_PARTIAL_WRITE;
ctx.set_mode(mode);
Ok(ctx)
}
@ -53,9 +57,9 @@ impl SslConnectorBuilder {
let mut ctx = try!(ctx(method));
try!(ctx.set_default_verify_paths());
// From https://github.com/python/cpython/blob/c30098c8c6014f3340a369a31df9c74bdbacc269/Lib/ssl.py#L191
try!(ctx.set_cipher_list(
"ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:\
DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\
DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\
RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
Ok(SslConnectorBuilder(ctx))
}
@ -123,17 +127,20 @@ impl SslAcceptorBuilder {
let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
try!(ctx.set_tmp_dh(&dh));
try!(setup_curves(&mut ctx));
try!(ctx.set_cipher_list(
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\
ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:\
DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:\
AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"));
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:\
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:\
DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:\
ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:\
DES-CBC3-SHA:!DSS"));
SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
}
@ -153,12 +160,11 @@ impl SslAcceptorBuilder {
{
let mut ctx = try!(ctx(method));
try!(setup_curves(&mut ctx));
try!(ctx.set_cipher_list(
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
try!(ctx.set_cipher_list("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-RSA-AES128-SHA256"));
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:\
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"));
SslAcceptorBuilder::finish_setup(ctx, private_key, certificate, chain)
}

47
openssl/src/ssl/mod.rs
View File

@ -108,12 +108,11 @@ mod tests;
use self::bio::BioMethod;
pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder,
SslAcceptor};
pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor};
pub use ssl::error::{Error, HandshakeError};
bitflags! {
pub flags SslOptions: c_ulong {
pub flags SslOption: c_ulong {
const SSL_OP_MICROSOFT_SESS_ID_BUG = ffi::SSL_OP_MICROSOFT_SESS_ID_BUG,
const SSL_OP_NETSCAPE_CHALLENGE_BUG = ffi::SSL_OP_NETSCAPE_CHALLENGE_BUG,
const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
@ -154,6 +153,19 @@ bitflags! {
}
}
bitflags! {
pub flags SslMode: c_long {
const SSL_MODE_ENABLE_PARTIAL_WRITE = ffi::SSL_MODE_ENABLE_PARTIAL_WRITE,
const SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,
const SSL_MODE_AUTO_RETRY = ffi::SSL_MODE_AUTO_RETRY,
const SSL_MODE_NO_AUTO_CHAIN = ffi::SSL_MODE_NO_AUTO_CHAIN,
const SSL_MODE_RELEASE_BUFFERS = ffi::SSL_MODE_RELEASE_BUFFERS,
const SSL_MODE_SEND_CLIENTHELLO_TIME = ffi::SSL_MODE_SEND_CLIENTHELLO_TIME,
const SSL_MODE_SEND_SERVERHELLO_TIME = ffi::SSL_MODE_SEND_SERVERHELLO_TIME,
const SSL_MODE_SEND_FALLBACK_SCSV = ffi::SSL_MODE_SEND_FALLBACK_SCSV,
}
}
#[derive(Copy, Clone)]
pub struct SslMethod(*const ffi::SSL_METHOD);
@ -426,16 +438,12 @@ impl Drop for SslContextBuilder {
impl SslContextBuilder {
pub fn new(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
unsafe {
init();
let mut ctx = unsafe {
let ctx = try!(cvt_p(ffi::SSL_CTX_new(method.as_ptr())));
SslContextBuilder::from_ptr(ctx)
};
try!(ctx.set_mode(ffi::SSL_MODE_AUTO_RETRY | ffi::SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER));
Ok(ctx)
Ok(SslContextBuilder::from_ptr(ctx))
}
}
pub unsafe fn from_ptr(ctx: *mut ffi::SSL_CTX) -> SslContextBuilder {
@ -498,8 +506,11 @@ impl SslContextBuilder {
}
}
fn set_mode(&mut self, mode: c_long) -> Result<(), ErrorStack> {
unsafe { cvt(ffi::SSL_CTX_set_mode(self.as_ptr(), mode) as c_int).map(|_| ()) }
pub fn set_mode(&mut self, mode: SslMode) -> SslMode {
unsafe {
let mode = ffi::SSL_CTX_set_mode(self.as_ptr(), mode.bits());
SslMode::from_bits(mode).unwrap()
}
}
pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
@ -630,19 +641,19 @@ impl SslContextBuilder {
unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) }
}
pub fn set_options(&mut self, option: SslOptions) -> SslOptions {
pub fn set_options(&mut self, option: SslOption) -> SslOption {
let ret = unsafe { compat::SSL_CTX_set_options(self.as_ptr(), option.bits()) };
SslOptions::from_bits(ret).unwrap()
SslOption::from_bits(ret).unwrap()
}
pub fn options(&self) -> SslOptions {
pub fn options(&self) -> SslOption {
let ret = unsafe { compat::SSL_CTX_get_options(self.as_ptr()) };
SslOptions::from_bits(ret).unwrap()
SslOption::from_bits(ret).unwrap()
}
pub fn clear_options(&mut self, option: SslOptions) -> SslOptions {
pub fn clear_options(&mut self, option: SslOption) -> SslOption {
let ret = unsafe { compat::SSL_CTX_clear_options(self.as_ptr(), option.bits()) };
SslOptions::from_bits(ret).unwrap()
SslOption::from_bits(ret).unwrap()
}
/// Set the protocols to be used during Next Protocol Negotiation (the protocols

10
openssl/src/ssl/tests/mod.rs
View File

@ -18,8 +18,8 @@ use hash::MessageDigest;
use ssl;
use ssl::SSL_VERIFY_PEER;
use ssl::{SslMethod, HandshakeError};
use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder,
SslAcceptorBuilder, Error};
use ssl::{SslContext, SslStream, Ssl, ShutdownResult, SslConnectorBuilder, SslAcceptorBuilder,
Error};
use x509::X509StoreContextRef;
use x509::X509FileType;
use x509::X509;
@ -1115,10 +1115,8 @@ fn connector_client_server_mozilla_intermediate() {
let t = thread::spawn(move || {
let key = PKey::private_key_from_pem(KEY).unwrap();
let cert = X509::from_pem(CERT).unwrap();
let connector = SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(),
&key,
&cert,
None::<X509>)
let connector =
SslAcceptorBuilder::mozilla_intermediate(SslMethod::tls(), &key, &cert, None::<X509>)
.unwrap()
.build();
let stream = listener.accept().unwrap().0;