From 47a68e2929277889c466288333385bd367238a42 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Wed, 16 May 2018 17:49:36 -0400 Subject: [PATCH 1/7] Add wrapper for SSL_CTX_set_psk_server_callback --- openssl-sys/src/lib.rs | 8 ++++++++ openssl/src/ssl/callbacks.rs | 36 +++++++++++++++++++++++++++++++++++- openssl/src/ssl/mod.rs | 27 +++++++++++++++++++++++++-- 3 files changed, 68 insertions(+), 3 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 61e087d0..9f970701 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -2576,6 +2576,14 @@ extern "C" { -> c_uint, >, ); + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] + pub fn SSL_CTX_set_psk_server_callback( + ssl: *mut SSL_CTX, + psk_server_cb: Option< + extern "C" fn(*mut SSL, *const c_char, *mut c_uchar, c_uint) + -> c_uint, + >, + ); pub fn SSL_select_next_proto( out: *mut *mut c_uchar, diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index fd5b7ef5..887d450c 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -48,7 +48,7 @@ where } #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] -pub extern "C" fn raw_psk( +pub extern "C" fn raw_client_psk( ssl: *mut ffi::SSL, hint: *const c_char, identity: *mut c_char, @@ -84,6 +84,40 @@ where } } +#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] +pub extern "C" fn raw_server_psk( + ssl: *mut ffi::SSL, + identity: *const c_char, + psk: *mut c_uchar, + max_psk_len: c_uint, +) -> c_uint +where + F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8]) -> Result + + 'static + + Sync + + Send, +{ + unsafe { + let ssl = SslRef::from_ptr_mut(ssl); + let callback_idx = SslContext::cached_ex_index::(); + + let callback = ssl.ssl_context() + .ex_data(callback_idx) + .expect("BUG: psk callback missing") as *const F; + let identity = if identity != ptr::null() { + Some(CStr::from_ptr(identity).to_bytes()) + } else { + None + }; + // Give the callback mutable slices into which it can write the psk. + let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + match (*callback)(ssl, identity, psk_sl) { + Ok(psk_len) => psk_len as u32, + _ => 0, + } + } +} + pub extern "C" fn ssl_raw_verify( preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8dc605ed..37f5086c 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1226,7 +1226,7 @@ impl SslContextBuilder { /// /// [`SSL_CTX_set_psk_client_callback`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_psk_client_callback.html #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] - pub fn set_psk_callback(&mut self, callback: F) + pub fn set_psk_client_callback(&mut self, callback: F) where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result + 'static @@ -1235,7 +1235,30 @@ impl SslContextBuilder { { unsafe { self.set_ex_data(SslContext::cached_ex_index::(), callback); - ffi::SSL_CTX_set_psk_client_callback(self.as_ptr(), Some(raw_psk::)); + ffi::SSL_CTX_set_psk_client_callback(self.as_ptr(), Some(raw_client_psk::)); + } + } + + /// Sets the callback for providing an identity and pre-shared key for a TLS-PSK server. + /// + /// The callback will be called with the SSL context, an identity provided by the client, + /// and, a mutable slice for the pre-shared key bytes. The callback returns the number of + /// bytes in the pre-shared key. + /// + /// This corresponds to [`SSL_CTX_set_psk_server_callback`]. + /// + /// [`SSL_CTX_set_psk_server_callback`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_psk_server_callback.html + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] + pub fn set_psk_server_callback(&mut self, callback: F) + where + F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8]) -> Result + + 'static + + Sync + + Send, + { + unsafe { + self.set_ex_data(SslContext::cached_ex_index::(), callback); + ffi::SSL_CTX_set_psk_server_callback(self.as_ptr(), Some(raw_server_psk::)); } } From 5d8a44612d8fb0c0f6b4e3046084d6b79a9f2065 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sat, 2 Jun 2018 13:47:52 -0400 Subject: [PATCH 2/7] add test for psk; deprecated set_psk_callback --- openssl/src/ssl/mod.rs | 12 ++++++++++++ openssl/src/ssl/test.rs | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index b69247db..dac23114 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1240,6 +1240,18 @@ impl SslContextBuilder { } } + #[deprecated(since = "0.10.10", note = "renamed to `set_psk_client_callback`")] + #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] + pub fn set_psk_callback(&mut self, callback: F) + where + F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result + + 'static + + Sync + + Send, + { + self.set_psk_client_callback(callback) + } + /// Sets the callback for providing an identity and pre-shared key for a TLS-PSK server. /// /// The callback will be called with the SSL context, an identity provided by the client, diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index f5ec7b29..e590f1a1 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -1536,3 +1536,38 @@ fn stateless() { send(client_stream.get_mut(), server_stream.get_mut()); hs(server_stream.handshake()).unwrap(); } + +#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] +#[test] +fn psk_ciphers() { + const PSK: &[u8] = b"thisisaverysecurekey"; + const CLIENT_IDENT: &[u8] = b"thisisaclient"; + + let listener = TcpListener::bind("127.0.0.1:0").unwrap(); + let port = listener.local_addr().unwrap().port(); + + thread::spawn(move || { + let stream = listener.accept().unwrap().0; + let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + ctx.set_cipher_list("ECDHE-PSK-CHACHA20-POLY1305").unwrap(); + ctx.set_psk_server_callback(move |_, identity, psk| { + assert!(identity.unwrap_or(&[]) == CLIENT_IDENT); + psk[..PSK.len()].copy_from_slice(&PSK); + Ok(PSK.len()) + }); + let ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.accept(stream).unwrap(); + }); + + let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); + let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + ctx.set_cipher_list("ECDHE-PSK-CHACHA20-POLY1305").unwrap(); + ctx.set_psk_client_callback(move |_, _, identity, psk| { + identity[..CLIENT_IDENT.len()].copy_from_slice(&CLIENT_IDENT); + identity[CLIENT_IDENT.len()] = 0; + psk[..PSK.len()].copy_from_slice(&PSK); + Ok(PSK.len()) + }); + let ssl = Ssl::new(&ctx.build()).unwrap(); + ssl.connect(stream).unwrap(); +} From b1c77a7ea55e1443b4566ddc6079e7312b454e81 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sat, 2 Jun 2018 13:49:42 -0400 Subject: [PATCH 3/7] Use is_null() --- openssl/src/ssl/callbacks.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index 883befb8..e34bc745 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -74,7 +74,7 @@ where .ssl_context() .ex_data(callback_idx) .expect("BUG: psk callback missing") as *const F; - let hint = if hint != ptr::null() { + let hint = if !hint.is_null() { Some(CStr::from_ptr(hint).to_bytes()) } else { None From bcc4ca02850dbd1708fd7d40ec5fb980a859142a Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sat, 2 Jun 2018 13:54:33 -0400 Subject: [PATCH 4/7] Change psk test cipher to PSK-AES128-CBC-SHA Hopefully it works on CI servers now --- openssl/src/ssl/test.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index e590f1a1..6b539589 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -1540,6 +1540,7 @@ fn stateless() { #[cfg(not(osslconf = "OPENSSL_NO_PSK"))] #[test] fn psk_ciphers() { + const CIPHER: &'static str = "PSK-AES128-CBC-SHA"; const PSK: &[u8] = b"thisisaverysecurekey"; const CLIENT_IDENT: &[u8] = b"thisisaclient"; @@ -1549,7 +1550,7 @@ fn psk_ciphers() { thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_cipher_list("ECDHE-PSK-CHACHA20-POLY1305").unwrap(); + ctx.set_cipher_list(CIPHER).unwrap(); ctx.set_psk_server_callback(move |_, identity, psk| { assert!(identity.unwrap_or(&[]) == CLIENT_IDENT); psk[..PSK.len()].copy_from_slice(&PSK); @@ -1561,7 +1562,7 @@ fn psk_ciphers() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); - ctx.set_cipher_list("ECDHE-PSK-CHACHA20-POLY1305").unwrap(); + ctx.set_cipher_list(CIPHER).unwrap(); ctx.set_psk_client_callback(move |_, _, identity, psk| { identity[..CLIENT_IDENT.len()].copy_from_slice(&CLIENT_IDENT); identity[CLIENT_IDENT.len()] = 0; From 285884c9254e2cdf0cc03b17600c5ebb92a39287 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sat, 2 Jun 2018 15:49:59 -0400 Subject: [PATCH 5/7] push PSK callback errors onto ErrorStack --- openssl/src/ssl/callbacks.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index e34bc745..f45146c6 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -84,7 +84,10 @@ where let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, hint, identity_sl, psk_sl) { Ok(psk_len) => psk_len as u32, - _ => 0, + Err(e) => { + e.put(); + 0 + } } } } @@ -118,7 +121,10 @@ where let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); match (*callback)(ssl, identity, psk_sl) { Ok(psk_len) => psk_len as u32, - _ => 0, + Err(e) => { + e.put(); + 0 + } } } } From 88c61d252f904f6297697a36132a2ae46d43ed03 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sat, 2 Jun 2018 15:50:24 -0400 Subject: [PATCH 6/7] Ensure psk test callbacks are called --- openssl/src/ssl/test.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index 6b539589..a8a797a2 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -1543,6 +1543,8 @@ fn psk_ciphers() { const CIPHER: &'static str = "PSK-AES128-CBC-SHA"; const PSK: &[u8] = b"thisisaverysecurekey"; const CLIENT_IDENT: &[u8] = b"thisisaclient"; + static CLIENT_CALLED: AtomicBool = ATOMIC_BOOL_INIT; + static SERVER_CALLED: AtomicBool = ATOMIC_BOOL_INIT; let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let port = listener.local_addr().unwrap().port(); @@ -1554,6 +1556,7 @@ fn psk_ciphers() { ctx.set_psk_server_callback(move |_, identity, psk| { assert!(identity.unwrap_or(&[]) == CLIENT_IDENT); psk[..PSK.len()].copy_from_slice(&PSK); + SERVER_CALLED.store(true, Ordering::SeqCst); Ok(PSK.len()) }); let ssl = Ssl::new(&ctx.build()).unwrap(); @@ -1567,8 +1570,11 @@ fn psk_ciphers() { identity[..CLIENT_IDENT.len()].copy_from_slice(&CLIENT_IDENT); identity[CLIENT_IDENT.len()] = 0; psk[..PSK.len()].copy_from_slice(&PSK); + CLIENT_CALLED.store(true, Ordering::SeqCst); Ok(PSK.len()) }); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); + + assert!(CLIENT_CALLED.load(Ordering::SeqCst) && SERVER_CALLED.load(Ordering::SeqCst)); } From bf86580beca3034714d822c03a9b2441c29112a3 Mon Sep 17 00:00:00 2001 From: Benjamin Cheng Date: Sun, 17 Jun 2018 17:00:22 -0400 Subject: [PATCH 7/7] Disable TLSv1.3 for psk_ciphers test --- openssl/src/ssl/test.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs index a8a797a2..af51be0c 100644 --- a/openssl/src/ssl/test.rs +++ b/openssl/src/ssl/test.rs @@ -1565,6 +1565,13 @@ fn psk_ciphers() { let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); + // TLS 1.3 has no DH suites, and openssl isn't happy if the max version has no suites :( + #[cfg(ossl111)] + { + ctx.set_options(super::SslOptions { + bits: ::ffi::SSL_OP_NO_TLSv1_3, + }); + } ctx.set_cipher_list(CIPHER).unwrap(); ctx.set_psk_client_callback(move |_, _, identity, psk| { identity[..CLIENT_IDENT.len()].copy_from_slice(&CLIENT_IDENT);